JVNDB-2024-001002

[Japanese]
JVNDB-2024-001002
Multiple TP-Link products vulnerable to OS command injection
Overview
Multiple products provided by TP-LINK contain multiple vulnerabilities listed below. * OS command injection (CWE-78) - CVE-2024-21773 * OS command injection (CWE-78) - CVE-2024-21821 * OS command injection (CWE-78) - CVE-2024-21833 Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)
CVSS V3 Severity: Base Metrics 7.5 (High) [Other] Attack Vector: Adjacent Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality Impact: High Integrity Impact: High Availability Impact: High The above CVSS base scores have been assigned for CVE-2024-21773
CVSS V3 Severity: Base Metrics:7.1 (High) [Other] Attack Vector: Adjacent Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality Impact: High Integrity Impact: High Availability Impact: High The above CVSS base scores have been assigned for CVE-2024-21821
CVSS V3 Severity: Base Metrics:7.5 (High) [Other] Attack Vector: Adjacent Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality Impact: High Integrity Impact: High Availability Impact: High The above CVSS base scores have been assigned for CVE-2024-21833
Affected Products

TP-LINK Technologies Archer AX3000 firmware versions prior to "Archer AX3000(JP)_V1_1.1.2 Build 20231115" (CVE-2024-21773, CVE-2024-21821, CVE-2024-21833) Archer AX5400 firmware versions prior to "Archer AX5400(JP)_V1_1.1.2 Build 20231115" (CVE-2024-21773, CVE-2024-21821, CVE-2024-21833) Archer AXE75 firmware versions prior to "Archer AXE75(JP)_V1_231115" (CVE-2024-21821, CVE-2024-21833) Deco X50 Deco X50 firmware versions prior to "Deco X50(JP)_V1_1.4.1 Build 20231122" (CVE-2024-21773, CVE-2024-21833) Deco XE200 Deco XE200 firmware versions prior to "Deco XE200(JP)_V1_1.2.5 Build 20231120" (CVE-2024-21773, CVE-2024-21833)

Impact
* An arbitrary OS command may be executed by an attacker with access to the product - CVE-2024-21773, CVE-2024-21833 * An arbitrary OS command may be executed by a logged-in user - CVE-2024-21821
Solution
[Update the Firmware] Update the firmware to the latest version according to the information provided by the developer.
Vendor Information
TP-LINK Technologies TP-LINK Technologies : Download Center (in Japanese) TP-LINK Technologies : Contents for Archer AX3000 V1 (in Japanese) TP-LINK Technologies : Contents for Archer AX5400 V1 (in Japanese) TP-LINK Technologies : Contents for Archer AXE75 V1 (in Japanese) TP-LINK Technologies : Contents for Deco X50 V1 (in Japanese) TP-LINK Technologies : Contents for Deco XE200 V1 (in Japanese)
CWE (What is CWE?)
OS Command Injection(CWE-78) [Other]
CVE (What is CVE?)
CVE-2024-21773 CVE-2024-21821 CVE-2024-21833
References
JVN : JVNVU#91401812 National Vulnerability Database (NVD) : CVE-2024-21773 National Vulnerability Database (NVD) : CVE-2024-21821 National Vulnerability Database (NVD) : CVE-2024-21833
Revision History
[2024/01/10] Web page was published [2024/03/14] References : Contents were added


Date Public	2024/01/09
Date First Published	2024/01/10
Date Last Updated	2024/03/14

Multiple TP-Link products vulnerable to OS command injection