Details of VAR-202202-0901

ID

VAR-202202-0901

CVE

CVE-2022-24972

TITLE

TP-LINK Technologies of TL-WR940N Firmware vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2022-021739

DESCRIPTION

This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR940N 3.20.1 Build 200316 Rel.34392n (5553) routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of proper access control. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-13911. TP-LINK Technologies of TL-WR940N There are unspecified vulnerabilities in the firmware.Information may be obtained

Trust: 2.34

sources: NVD: CVE-2022-24972 // JVNDB: JVNDB-2022-021739 // ZDI: ZDI-22-405 // VULMON: CVE-2022-24972

AFFECTED PRODUCTS

vendor:	tp link	model:	tl-wr940n	scope:	-	version:	-	Trust: 1.5
vendor:	tp link	model:	tl-wr940n	scope:	eq	version:	3.20.1	Trust: 1.0
vendor:	tp link	model:	tl-wr940n	scope:	eq	version:	tl-wr940n firmware 3.20.1	Trust: 0.8
vendor:	tp link	model:	tl-wr940n	scope:	eq	version:	-	Trust: 0.8

sources: ZDI: ZDI-22-405 // JVNDB: JVNDB-2022-021739 // NVD: CVE-2022-24972

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com:	CVE-2022-24972
value:	MEDIUM
Trust: 1.0
nvd@nist.gov:	CVE-2022-24972
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2022-24972
value:	MEDIUM
Trust: 0.8
ZDI:	CVE-2022-24972
value:	MEDIUM
Trust: 0.7
CNNVD:	CNNVD-202202-1733
value:	MEDIUM
Trust: 0.6

zdi-disclosures@trendmicro.com:	CVE-2022-24972
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2022-24972
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
ZDI:	CVE-2022-24972
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-22-405 // JVNDB: JVNDB-2022-021739 // CNNVD: CNNVD-202202-1733 // NVD: CVE-2022-24972 // NVD: CVE-2022-24972

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-284	Trust: 1.0
problemtype:	Lack of information (CWE-noinfo) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-021739 // NVD: CVE-2022-24972

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202202-1733

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202202-1733

EXTERNAL IDS

db:	NVD	id:	CVE-2022-24972	Trust: 4.0
db:	ZDI	id:	ZDI-22-405	Trust: 3.2
db:	JVNDB	id:	JVNDB-2022-021739	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-13911	Trust: 0.7
db:	CNNVD	id:	CNNVD-202202-1733	Trust: 0.6
db:	VULMON	id:	CVE-2022-24972	Trust: 0.1

sources: ZDI: ZDI-22-405 // VULMON: CVE-2022-24972 // JVNDB: JVNDB-2022-021739 // CNNVD: CNNVD-202202-1733 // NVD: CVE-2022-24972

REFERENCES

url:	https://www.zerodayinitiative.com/advisories/zdi-22-405/	Trust: 3.2
url:	https://nvd.nist.gov/vuln/detail/cve-2022-24972	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-24972/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/284.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2022-24972 // JVNDB: JVNDB-2022-021739 // CNNVD: CNNVD-202202-1733 // NVD: CVE-2022-24972

CREDITS

Vadym Kolisnichenko

Trust: 1.3

sources: ZDI: ZDI-22-405 // CNNVD: CNNVD-202202-1733

SOURCES

db:	ZDI	id:	ZDI-22-405
db:	VULMON	id:	CVE-2022-24972
db:	JVNDB	id:	JVNDB-2022-021739
db:	CNNVD	id:	CNNVD-202202-1733
db:	NVD	id:	CVE-2022-24972

LAST UPDATE DATE

2024-08-14T15:27:26.101000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-22-405	date:	2022-02-22T00:00:00
db:	VULMON	id:	CVE-2022-24972	date:	2023-03-28T00:00:00
db:	JVNDB	id:	JVNDB-2022-021739	date:	2023-11-14T02:52:00
db:	CNNVD	id:	CNNVD-202202-1733	date:	2023-04-06T00:00:00
db:	NVD	id:	CVE-2022-24972	date:	2023-04-05T03:34:41.627

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-22-405	date:	2022-02-22T00:00:00
db:	VULMON	id:	CVE-2022-24972	date:	2023-03-28T00:00:00
db:	JVNDB	id:	JVNDB-2022-021739	date:	2023-11-14T00:00:00
db:	CNNVD	id:	CNNVD-202202-1733	date:	2022-02-22T00:00:00
db:	NVD	id:	CVE-2022-24972	date:	2023-03-28T19:15:11.113