Sign-up

ID

VAR-202002-0037


CVE

CVE-2012-6297


TITLE

DD-WRT Cross-site request forgery vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2012-006607

DESCRIPTION

Command Injection vulnerability exists via a CSRF in DD-WRT 24-sp2 from specially crafted configuration values containing shell meta-characters, which could let a remote malicious user cause a Denial of Service. DD-WRT Exists in a cross-site request forgery vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. DD-WRT is a non-commercial third-party firmware that can be used with some wireless routers. DD-WRT incorrectly filters some configuration values that contain shell metacharacters. An attacker can construct a malicious URI, entice a user to parse, and execute arbitrary commands as a root user through a cross-site request forgery attack. DD-WRT is prone to a command-injection vulnerability. Exploiting this issue could allow an attacker to execute arbitrary commands with elevated privileges in the context of the affected application. This may cause denial-of-service conditions. DD-WRT v24-sp2 is vulnerable; other versions may also be affected. Successful exploitation can result in system wide compromise or a denial of service condition depending on the commands being injected. This bug was reported via the DD-WRT bug tracker on November 20, 2012 but there does not appear to be ongoing development in the project

Trust: 2.52

sources: NVD: CVE-2012-6297 // JVNDB: JVNDB-2012-006607 // CNVD: CNVD-2013-09712 // BID: 61131 // PACKETSTORM: 122374

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2013-09712

AFFECTED PRODUCTS

vendor:dd wrtmodel:dd-wrtscope:eqversion:24

Trust: 1.0

vendor:dd wrtmodel:dd-wrtscope:eqversion:24-sp2

Trust: 0.8

vendor:dd wrtmodel:dd-wrt sp2scope:eqversion:24

Trust: 0.6

vendor:dd wrtmodel:dd-wrt v24-sp2scope: - version: -

Trust: 0.3

sources: CNVD: CNVD-2013-09712 // BID: 61131 // JVNDB: JVNDB-2012-006607 // NVD: CVE-2012-6297

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2012-6297
value: HIGH

Trust: 1.0

NVD: JVNDB-2012-006607
value: HIGH

Trust: 0.8

CNVD: CNVD-2013-09712
value: LOW

Trust: 0.6

CNNVD: CNNVD-202002-180
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2012-6297
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2012-006607
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2013-09712
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2012-6297
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2012-006607
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2013-09712 // JVNDB: JVNDB-2012-006607 // CNNVD: CNNVD-202002-180 // NVD: CVE-2012-6297

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.8

sources: JVNDB: JVNDB-2012-006607 // NVD: CVE-2012-6297

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 122374 // CNNVD: CNNVD-202002-180

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-202002-180

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2012-006607

PATCH
title:Top Pageurl:https://dd-wrt.com/
Trust: 0.8
title:Patch for DD-WRT cross-site request forgery vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/35152
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2013-09712 // 
            
            
            
            JVNDB: JVNDB-2012-006607

EXTERNAL IDS
db:NVDid:CVE-2012-6297
Trust: 3.4
db:VULDBid:9527
Trust: 2.4
db:JVNDBid:JVNDB-2012-006607
Trust: 0.8
db:CNVDid:CNVD-2013-09712
Trust: 0.6
db:CNNVDid:CNNVD-202002-180
Trust: 0.6
db:BIDid:61131
Trust: 0.3
db:PACKETSTORMid:122374
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2013-09712 // 
            
            
            
            BID: 61131 // 
            
            
            
            JVNDB: JVNDB-2012-006607 // 
            
            
            
            PACKETSTORM: 122374 // 
            
            
            
            CNNVD: CNNVD-202002-180 // 
            
            
            
            NVD: CVE-2012-6297

REFERENCES
url:https://vuldb.com/?id.9527
Trust: 2.4
url:https://lists.openwall.net/bugtraq/2013/07/12/2
Trust: 1.6
url:https://packetstormsecurity.com/files/cve/cve-2012-6297
Trust: 1.6
url:https://seclists.org/fulldisclosure/2013/oct/241
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2012-6297
Trust: 1.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-6297
Trust: 0.8
url:http://seclists.org/bugtraq/2013/jul/76
Trust: 0.6
url:http://www.securityfocus.com/archive/1/527212
Trust: 0.3
url:http://www.dd-wrt.com/dd-wrtv3/dd-wrt/about.html
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2013-09712 // 
            
            
            
            BID: 61131 // 
            
            
            
            JVNDB: JVNDB-2012-006607 // 
            
            
            
            PACKETSTORM: 122374 // 
            
            
            
            CNNVD: CNNVD-202002-180 // 
            
            
            
            NVD: CVE-2012-6297

CREDITS
cyoung
Trust: 0.4
sources:
            
            
            BID: 61131 // 
            
            
            
            PACKETSTORM: 122374

SOURCES
db:CNVDid:CNVD-2013-09712
db:BIDid:61131
db:JVNDBid:JVNDB-2012-006607
db:PACKETSTORMid:122374
db:CNNVDid:CNNVD-202002-180
db:NVDid:CVE-2012-6297

LAST UPDATE DATE
2024-08-14T15:22:50.911000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2013-09712date:2013-07-22T00:00:00
db:BIDid:61131date:2012-11-20T00:00:00
db:JVNDBid:JVNDB-2012-006607date:2020-02-25T00:00:00
db:CNNVDid:CNNVD-202002-180date:2020-05-12T00:00:00
db:NVDid:CVE-2012-6297date:2020-02-11T18:53:05.647

SOURCES RELEASE DATE
db:CNVDid:CNVD-2013-09712date:2013-07-22T00:00:00
db:BIDid:61131date:2012-11-20T00:00:00
db:JVNDBid:JVNDB-2012-006607date:2020-02-25T00:00:00
db:PACKETSTORMid:122374date:2013-07-12T04:44:44
db:CNNVDid:CNNVD-202002-180date:2020-02-06T00:00:00
db:NVDid:CVE-2012-6297date:2020-02-06T18:15:12.947