[Japanese]
|
JVNDB-2024-001002
|
Multiple TP-Link products vulnerable to OS command injection
|
Multiple products provided by TP-LINK contain multiple vulnerabilities listed below.
* OS command injection (CWE-78) - CVE-2024-21773
* OS command injection (CWE-78) - CVE-2024-21821
* OS command injection (CWE-78) - CVE-2024-21833
Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
|
CVSS V3 Severity: Base Metrics 7.5 (High) [Other]
- Attack Vector: Adjacent Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-21773
|
CVSS V3 Severity:
Base Metrics:7.1 (High) [Other]
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-21821
|
CVSS V3 Severity:
Base Metrics:7.5 (High) [Other]
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-21833
|
|
TP-LINK Technologies
- Archer AX3000 firmware versions prior to "Archer AX3000(JP)_V1_1.1.2 Build 20231115" (CVE-2024-21773, CVE-2024-21821, CVE-2024-21833)
- Archer AX5400 firmware versions prior to "Archer AX5400(JP)_V1_1.1.2 Build 20231115" (CVE-2024-21773, CVE-2024-21821, CVE-2024-21833)
- Archer AXE75 firmware versions prior to "Archer AXE75(JP)_V1_231115" (CVE-2024-21821, CVE-2024-21833)
- Deco X50 Deco X50 firmware versions prior to "Deco X50(JP)_V1_1.4.1 Build 20231122" (CVE-2024-21773, CVE-2024-21833)
- Deco XE200 Deco XE200 firmware versions prior to "Deco XE200(JP)_V1_1.2.5 Build 20231120" (CVE-2024-21773, CVE-2024-21833)
|
|
* An arbitrary OS command may be executed by an attacker with access to the product - CVE-2024-21773, CVE-2024-21833
* An arbitrary OS command may be executed by a logged-in user - CVE-2024-21821
|
[Update the Firmware]
Update the firmware to the latest version according to the information provided by the developer.
|
TP-LINK Technologies
|
- OS Command Injection(CWE-78) [Other]
|
- CVE-2024-21773
- CVE-2024-21821
- CVE-2024-21833
|
- JVN : JVNVU#91401812
- National Vulnerability Database (NVD) : CVE-2024-21773
- National Vulnerability Database (NVD) : CVE-2024-21821
- National Vulnerability Database (NVD) : CVE-2024-21833
|
- [2024/01/10]
Web page was published
- [2024/03/14]
References : Contents were added
|