|
[Japanese]
|
JVNDB-2022-000036
|
Multiple vulnerabilities in Rakuten Casa
|
|
Rakuten Casa provided by Rakuten Mobile, Inc. contains multiple vulnerabilities listed below.
* Use of Hard-coded Credentials (CWE-798) - CVE-2022-29525
* Improper Access Control (CWE-284) - CVE-2022-28704
* Improper Access Control (CWE-284) - CVE-2022-26834
CVE-2022-29525
Narumi Hirai of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2022-28704
Hiroki Oshiro and Tagawa, Masaki reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2022-26834
Tagawa, Masaki reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 7.5 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 7.8 (High) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: Complete
- Integrity Impact: None
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-28704
|
CVSS V3 Severity:
Base Metrics
5.9 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: High
-
Privileges Required: None
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
7.1 (High)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: None
-
Confidentiality Impact: Complete
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-29525
|
CVSS V3 Severity:
Base Metrics
7.5 (High) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
7.8 (High)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: None
-
Confidentiality Impact: Complete
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-26834
|
|
|
Rakuten Mobile, Inc.
- Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0
|
|
|
* An attacker who can obtain information about the product housing may log in with the root privileges and perform arbitrary operations - CVE-2022-29525
* If the product is in its default settings in which is set to accept SSH connections from the WAN side, and is also connected to the Internet with the authentication information unchanged from the default settings, a remote attacker may log in with the root privileges and perform arbitrary operations - CVE-2022-28704
* The information stored in the product may be obtained as the product is set to accept HTTP connections from the WAN side by default - CVE-2022-26834
|
|
[Update the software]
According to the developer, the fixed software for these vulnerabilities has been released in August 2021, and in the case where the product housing is properly set in accordance with Terms of Installation, the update is applied automatically.
|
|
Rakuten Mobile, Inc.
|
|
- Permissions(CWE-264) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2022-29525
- CVE-2022-28704
- CVE-2022-26834
|
|
- JVN : JVN#46892984
- National Vulnerability Database (NVD) : CVE-2022-26834
- National Vulnerability Database (NVD) : CVE-2022-28704
- National Vulnerability Database (NVD) : CVE-2022-29525
|
|
- [2022/5/19]
Web Page was published
- [2024/06/18]
References : Contents were added
|
