CVE-2023-26062
Improper access control with Nokia Web Element Manager
Public disclosure |
13-06-2023 |
|---|---|
Last updated |
13-06-2023 |
Vulnerability type |
Incorrect Access Control |
CVSS vector |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVSS score |
7.0 |
Description
A mobile network solution internal fault is found in Nokia Web Element Manager 21B. Exploit of this vulnerability is not possible from outside of mobile network solution architecture. This means that exploit is not possible from mobile network user UEs, from roaming networks, or from Internet. Exploit is possible only from CSP (Communication Service Provider) mobile network solution internal BTS management network.
Due to this vulnerability, the Nokia Web Element Manager allows an unprivileged user (must be logged in) to execute administrative function.
Affected products and versions
Product |
Versions |
|---|---|
Nokia Web Element Manager |
Single RAN 21B onwards. |
Mitigation plan
Fix has been provided on top of SRAN 22R1 onwards.
Acknowledgements
- Massimiliano Ferraresi (TIM S.p.A)
- Luca Borzacchiello (TIM S.p.A)
- Massimiliano Brolli (TIM S.p.A)
References
Change history : Initial version is published on 13-06-2023