Vulnerabilities > CVE-2023-38313 - NULL Pointer Dereference vulnerability in Opennds Captive Portal

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

opennds

CWE-476

NVD

Published: 2023-11-17

Updated: 2023-11-23

Summary

An issue was discovered in OpenNDS Captive Portal before 10.1.2. it has a do_binauth NULL pointer dereference that can be triggered with a crafted GET HTTP request with a missing client redirect query string parameter. Triggering this issue results in crashing openNDS (a Denial-of-Service condition). The issue occurs when the client is about to be authenticated, and can be triggered only when the BinAuth option is set.

Vulnerable Configurations

Part	Description	Count
Application	Opennds Opennds Captive Portal *	1

Common Weakness Enumeration (CWE)

CWE-476 - NULL Pointer Dereference

References

https://github.com/openNDS/openNDS/releases/tag/v10.1.2