Path Traversal Vulnerability in AXIS OS Affecting VAPIX API
CVE-2023-21417

7.1HIGH

Key Information:

Vendor: Axis Communications Ab
Status: Axis Os
Vendor: CVE Published:; 21 November 2023

🔔 Create Axis Communications Ab Vulnerability Alert

What is CVE-2023-21417?

A vulnerability in AXIS OS's VAPIX API allows for path traversal attacks which can lead to unauthorized file and folder deletion. This flaw requires authentication with an operator or administrator-level service account for exploitation. When using operator service accounts, the risk is limited to non-system files, while administrator privileges allow broader access. AXIS has addressed this issue by releasing patched versions of AXIS OS. For further details and solutions, please consult the Axis security advisory.

Affected Version(s)

AXIS OS AXIS OS 8.50 – 11.6

References

https://www.axis.com/dam/public/2a/82/12/cve-2023-21417-e...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 21, 2023
Vulnerability Reserved
Nov 4, 2022