Sign-up

ID

VAR-201411-0384


CVE

CVE-2014-8423


TITLE

ARRIS VAP2500 Management portal execution arbitrary command vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-005687

DESCRIPTION

Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors. Supplementary information : CWE Vulnerability type by CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ( injection ) Has been identified. http://cwe.mitre.org/data/definitions/74.htmlAn arbitrary command may be executed by a third party. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of access to the management portal. The issue lies in the ability to execute arbitrary commands without any sanitization. An attacker can leverage this vulnerability to execute code with root privileges. The Arris VAP2500 is a wireless access device from Arris, USA

Trust: 3.15

sources: NVD: CVE-2014-8423 // JVNDB: JVNDB-2014-005687 // ZDI: ZDI-14-389 // CNVD: CNVD-2014-08576 // BID: 71299 // VULHUB: VHN-76368

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2014-08576

AFFECTED PRODUCTS

vendor:arrismodel:vap2500scope:lteversion:08.41

Trust: 1.0

vendor:arris groupmodel:vap2500scope:ltversion:fw08.41

Trust: 0.8

vendor:arrismodel:vap2500scope: - version: -

Trust: 0.7

vendor:arris groupmodel:vap2500scope: - version: -

Trust: 0.6

vendor:arrismodel:vap2500scope:eqversion:08.41

Trust: 0.6

sources: ZDI: ZDI-14-389 // CNVD: CNVD-2014-08576 // JVNDB: JVNDB-2014-005687 // CNNVD: CNNVD-201411-518 // NVD: CVE-2014-8423

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-8423
value: HIGH

Trust: 1.0

NVD: CVE-2014-8423
value: HIGH

Trust: 0.8

ZDI: CVE-2014-8423
value: HIGH

Trust: 0.7

CNVD: CNVD-2014-08576
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201411-518
value: CRITICAL

Trust: 0.6

VULHUB: VHN-76368
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2014-8423
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 2.5

CNVD: CNVD-2014-08576
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-76368
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: ZDI: ZDI-14-389 // CNVD: CNVD-2014-08576 // VULHUB: VHN-76368 // JVNDB: JVNDB-2014-005687 // CNNVD: CNNVD-201411-518 // NVD: CVE-2014-8423

PROBLEMTYPE DATA

problemtype:CWE-74

Trust: 1.1

problemtype:CWE-Other

Trust: 0.8

sources: VULHUB: VHN-76368 // JVNDB: JVNDB-2014-005687 // NVD: CVE-2014-8423

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201411-518

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201411-518

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-005687

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-76368

PATCH
title:Top Pageurl:http://www.arrisi.com/products/product.asp?id=5017
Trust: 0.8
title:Patch for Arris VAP2500 Remote Code Execution Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/52267
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2014-08576 // 
            
            
            
            JVNDB: JVNDB-2014-005687

EXTERNAL IDS
db:NVDid:CVE-2014-8423
Trust: 4.1
db:ZDIid:ZDI-14-389
Trust: 3.2
db:BIDid:71299
Trust: 1.6
db:JVNDBid:JVNDB-2014-005687
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-2137
Trust: 0.7
db:CNNVDid:CNNVD-201411-518
Trust: 0.7
db:CNVDid:CNVD-2014-08576
Trust: 0.6
db:EXPLOIT-DBid:35372
Trust: 0.1
db:PACKETSTORMid:130064
Trust: 0.1
db:VULHUBid:VHN-76368
Trust: 0.1
sources:
            
            
            ZDI: ZDI-14-389 // 
            
            
            
            CNVD: CNVD-2014-08576 // 
            
            
            
            VULHUB: VHN-76368 // 
            
            
            
            BID: 71299 // 
            
            
            
            JVNDB: JVNDB-2014-005687 // 
            
            
            
            CNNVD: CNNVD-201411-518 // 
            
            
            
            NVD: CVE-2014-8423

REFERENCES
url:http://www.zerodayinitiative.com/advisories/zdi-14-389/
Trust: 2.5
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8423
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8423
Trust: 0.8
url:http://www.securityfocus.com/bid/71299/info
Trust: 0.6
url:http://www.securityfocus.com/bid/71299
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2014-08576 // 
            
            
            
            VULHUB: VHN-76368 // 
            
            
            
            JVNDB: JVNDB-2014-005687 // 
            
            
            
            CNNVD: CNNVD-201411-518 // 
            
            
            
            NVD: CVE-2014-8423

CREDITS
Ricky "HeadlessZeke" Lawshae
Trust: 1.6
sources:
            
            
            ZDI: ZDI-14-389 // 
            
            
            
            BID: 71299 // 
            
            
            
            CNNVD: CNNVD-201411-518

SOURCES
db:ZDIid:ZDI-14-389
db:CNVDid:CNVD-2014-08576
db:VULHUBid:VHN-76368
db:BIDid:71299
db:JVNDBid:JVNDB-2014-005687
db:CNNVDid:CNNVD-201411-518
db:NVDid:CVE-2014-8423

LAST UPDATE DATE
2025-04-12T23:16:58.779000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-14-389date:2014-11-25T00:00:00
db:CNVDid:CNVD-2014-08576date:2014-11-28T00:00:00
db:VULHUBid:VHN-76368date:2014-11-28T00:00:00
db:BIDid:71299date:2014-12-03T00:55:00
db:JVNDBid:JVNDB-2014-005687date:2014-12-01T00:00:00
db:CNNVDid:CNNVD-201411-518date:2014-12-02T00:00:00
db:NVDid:CVE-2014-8423date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:ZDIid:ZDI-14-389date:2014-11-25T00:00:00
db:CNVDid:CNVD-2014-08576date:2014-11-28T00:00:00
db:VULHUBid:VHN-76368date:2014-11-28T00:00:00
db:BIDid:71299date:2014-11-25T00:00:00
db:JVNDBid:JVNDB-2014-005687date:2014-12-01T00:00:00
db:CNNVDid:CNNVD-201411-518date:2014-11-27T00:00:00
db:NVDid:CVE-2014-8423date:2014-11-28T15:59:03.150