Details of VAR-202203-1301

ID

VAR-202203-1301

CVE

CVE-2022-26990

TITLE

Command Injection Vulnerability in Multiple ARRIS Products (CNVD-2022-68531)

Trust: 0.6

sources: CNVD: CNVD-2022-68531

DESCRIPTION

Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the firewall-local log function via the EmailAddress, SmtpServerName, SmtpUsername, and SmtpPassword parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request. ARRIS SBR-AC1900P, SBR-AC3200P and SBR-AC1200P are a Wi-Fi router from ARRIS Corporation in the United States. The vulnerability stems from the failure of the firewall's local log function to properly filter and construct special characters, commands, and so on

Trust: 1.44

sources: NVD: CVE-2022-26990 // CNVD: CNVD-2022-68531

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-68531

AFFECTED PRODUCTS

vendor:	arris	model:	sbr-ac1900p	scope:	eq	version:	1.0.7-b05	Trust: 1.0
vendor:	arris	model:	sbr-ac3200p	scope:	eq	version:	1.0.7-b05	Trust: 1.0
vendor:	arris	model:	sbr-ac1200p	scope:	eq	version:	1.0.5-b05	Trust: 1.0
vendor:	arris	model:	sbr-ac1900p 1.0.7-b05	scope:	-	version:	-	Trust: 0.6
vendor:	arris	model:	sbr-ac3200p 1.0.7-b05	scope:	-	version:	-	Trust: 0.6
vendor:	arris	model:	sbr-ac1200p 1.0.5-b05	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2022-68531 // NVD: CVE-2022-26990

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-26990
value:	CRITICAL
Trust: 1.0
CNVD:	CNVD-2022-68531
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202203-1489
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2022-26990
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
CNVD:	CNVD-2022-68531
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-26990
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2022-68531 // CNNVD: CNNVD-202203-1489 // NVD: CVE-2022-26990

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.0

sources: NVD: CVE-2022-26990

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202203-1489

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-202203-1489

EXTERNAL IDS

db:	NVD	id:	CVE-2022-26990	Trust: 2.2
db:	CNVD	id:	CNVD-2022-68531	Trust: 0.6
db:	CNNVD	id:	CNNVD-202203-1489	Trust: 0.6

sources: CNVD: CNVD-2022-68531 // CNNVD: CNNVD-202203-1489 // NVD: CVE-2022-26990

REFERENCES

url:	https://github.com/wudipjq/my_vuln/blob/main/arris/vuln_2/2.md	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2022-26990	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-26990/	Trust: 0.6

sources: CNVD: CNVD-2022-68531 // CNNVD: CNNVD-202203-1489 // NVD: CVE-2022-26990

SOURCES

db:	CNVD	id:	CNVD-2022-68531
db:	CNNVD	id:	CNNVD-202203-1489
db:	NVD	id:	CVE-2022-26990

LAST UPDATE DATE

2024-11-23T23:03:54.559000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-68531	date:	2022-10-13T00:00:00
db:	CNNVD	id:	CNNVD-202203-1489	date:	2022-04-14T00:00:00
db:	NVD	id:	CVE-2022-26990	date:	2024-11-21T06:54:55.203

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-68531	date:	2022-10-13T00:00:00
db:	CNNVD	id:	CNNVD-202203-1489	date:	2022-03-15T00:00:00
db:	NVD	id:	CVE-2022-26990	date:	2022-03-15T22:15:14.773