{"id":"UBUNTU-CVE-2023-38320","details":"An issue was discovered in OpenNDS Captive Portal before version 10.1.2. It has a show_preauthpage NULL pointer dereference that can be triggered with a crafted GET HTTP with a missing User-Agent header. Triggering this issue results in crashing OpenNDS (a Denial-of-Service condition). This problem was fixed in OpenWrt master, OpenWrt 23.05 and OpenWrt 22.03 on 28. August 2023 by updating OpenNDS to version 10.1.3.","modified":"2026-02-04T02:53:50.453428Z","published":"2023-11-17T06:15:00Z","withdrawn":"2025-06-23T15:56:53Z","related":["CVE-2023-38320"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-38320"},{"type":"REPORT","url":"https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx"},{"type":"REPORT","url":"https://github.com/openNDS/openNDS/commit/cd4004fc3cf79c0f2bc0ee98db30d225d0b79bc9"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2023-38320"}],"affected":[{"package":{"name":"opennds","ecosystem":"Ubuntu:24.10","purl":"pkg:deb/ubuntu/opennds@10.2.0+dfsg-1build2?arch=source&distro=oracular"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["10.2.0+dfsg-1build2"],"ecosystem_specific":{"ubuntu_priority":"medium"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-38320.json"}},{"package":{"name":"opennds","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/opennds@10.2.0+dfsg-1build2?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["9.10.0-1","10.2.0+dfsg-1","10.2.0+dfsg-1build1","10.2.0+dfsg-1build2"],"ecosystem_specific":{"ubuntu_priority":"medium"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-38320.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}