[Japanese]
|
JVNDB-2024-000087
|
BUFFALO wireless LAN routers and wireless LAN repeaters vulnerable to OS command injection
|
Wireless LAN routers and wireless LAN repeaters provided by BUFFALO INC. contain an OS command injection vulnerability (CWE-78).
Yoshiki Mori and Masaki Kubo of National Institute of Information and Communications Technology, Cybersecurity Research Laboratory reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 7.2 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
|
|
BUFFALO INC.
- WEX-1166DHP Ver. 1.23 and earlier
- WEX-1166DHP2 Ver. 1.05 and earlier
- WEX-1166DHPS Ver. 1.05 and earlier
- WEX-300HPS/N Ver. 1.02 and earlier
- WEX-300HPTX/N Ver. 1.02 and earlier
- WEX-733DHP Ver. 1.64 and earlier
- WEX-733DHP2 Ver. 1.03 and earlier
- WEX-733DHPS Ver. 1.02 and earlier
- WEX-733DHPTX Ver. 1.03 and earlier
- WHR-1166DHP2 Ver. 2.95 and earlier
- WHR-1166DHP3 Ver. 2.95 and earlier
- WHR-1166DHP4 Ver. 2.95 and earlier
- WSR-1166DHP3 Ver. 1.18 and earlier
- WHR-1166DHP Ver. 2.92 and earlier
- WHR-300HP2 Ver. 2.51 and earlier
- WHR-600D Ver. 2.91 and earlier
- WMR-300 Ver. 2.50 and earlier
- WSR-600DHP Ver. 2.93 and earlier
|
|
If a user logs in to the management page and sends a specially crafted request to the affected product from the product's specific management page, an arbitrary OS command may be executed.
|
[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
|
BUFFALO INC.
|
- OS Command Injection(CWE-78) [IPA Evaluation]
|
- CVE-2024-44072
|
- JVN : JVN#12824024
|
- [2024/08/23]
Web page was published
|