[Japanese]
|
JVNDB-2021-001575
|
Multiple vulnerabilities in Buffalo WSR-1166DHP3 and WSR-1166DHP4 routers
|
Buffalo WSR-1166DHP3 and WSR-1166DHP4 routers provided by Buffalo Inc. contain multiple vulnerabilities listed below.
* Improper access control (CWE-284) - CVE-2021-20730
* OS command injection (CWE-78) - CVE-2021-20731
Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
|
CVSS V3 Severity: Base Metrics 5.4 (Medium) [IPA Score]
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low
CVSS V2 Severity: Base Metrics 8.3 (High) [NVD Score]
- Access Vector: Adjacent Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: Complete
- Integrity Impact: Complete
- Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2021-20731
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Adjacent
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20730
|
|
BUFFALO INC.
- WSR-1166DHP3 firmware Ver.1.16 and prior
- WSR-1166DHP4 firmware Ver.1.02 and prior
|
|
* An unauthenticated network-adjacent attacker can obtain configuration information. - CVE-2021-20730
* An unauthenticated network-adjacent attacker can execute multiple OS commands with root privileges. - CVE-2021-20731
|
[Update firmware]
Apply the appropriate firimware update according to the information provided by the developer.
The developer has released fixed versions listed below.
* WSR-1166DHP3 firmware Ver.1.17
* WSR-1166DHP4 firmware Ver.1.03
|
BUFFALO INC.
|
- Improper Access Control(CWE-284) [IPA Evaluation]
- OS Command Injection(CWE-78) [IPA Evaluation]
|
- CVE-2021-20730
- CVE-2021-20731
|
- JVN : JVNVU#92862829
- National Vulnerability Database (NVD) : CVE-2021-20730
- National Vulnerability Database (NVD) : CVE-2021-20731
|
- [2021/06/01]
Web page was published
|