Sign-up

ID

VAR-202205-1037


CVE

CVE-2022-23139


TITLE

ZTE  of  zxmp m721  Fraudulent Authentication Vulnerability in Firmware

Trust: 0.8

sources: JVNDB: JVNDB-2022-009667

DESCRIPTION

ZTE's ZXMP M721 product has a permission and access control vulnerability. Since the folder permission viewed by sftp is 666, which is inconsistent with the actual permission. It’s easy for?users to?ignore the modification?of?the file permission configuration, so that low-authority accounts could actually obtain higher operating permissions on key files. ZTE of zxmp m721 An incorrect authentication vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. ZTE ZXMP M721 is a metro edge OTN (Optical Transport Network) device of China ZTE Corporation (ZTE). Attackers can use this vulnerability to obtain higher permissions

Trust: 2.25

sources: NVD: CVE-2022-23139 // JVNDB: JVNDB-2022-009667 // CNVD: CNVD-2022-47340 // VULMON: CVE-2022-23139

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2022-47340

AFFECTED PRODUCTS

vendor:ztemodel:zxmp m721scope: - version: -

Trust: 1.4

vendor:ztemodel:zxmp m721scope:eqversion:5.10.030.006

Trust: 1.0

vendor:ztemodel:zxmp m721scope:eqversion:zxmp m721 firmware 5.10.030.006

Trust: 0.8

vendor:ztemodel:zxmp m721scope:eqversion: -

Trust: 0.8

sources: CNVD: CNVD-2022-47340 // JVNDB: JVNDB-2022-009667 // NVD: CVE-2022-23139

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-23139
value: HIGH

Trust: 1.0

NVD: CVE-2022-23139
value: HIGH

Trust: 0.8

CNVD: CNVD-2022-47340
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202205-3191
value: HIGH

Trust: 0.6

VULMON: CVE-2022-23139
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2022-23139
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2022-47340
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2022-23139
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2022-23139
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2022-47340 // VULMON: CVE-2022-23139 // JVNDB: JVNDB-2022-009667 // CNNVD: CNNVD-202205-3191 // NVD: CVE-2022-23139

PROBLEMTYPE DATA

problemtype:CWE-863

Trust: 1.0

problemtype:Illegal authentication (CWE-863) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-009667 // NVD: CVE-2022-23139

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202205-3191

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-202205-3191

PATCH

title:Patch for ZTE ZXMP M721 Permission and Access Control Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/337201

Trust: 0.6

title:ZTE ZXMP M721 Fixes for permissions and access control issues vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=193155

Trust: 0.6

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-23305

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-RCE

Trust: 0.1

sources: CNVD: CNVD-2022-47340 // VULMON: CVE-2022-23139 // CNNVD: CNNVD-202205-3191

EXTERNAL IDS

db:NVDid:CVE-2022-23139

Trust: 3.9

db:ZTEid:1024444

Trust: 2.5

db:JVNDBid:JVNDB-2022-009667

Trust: 0.8

db:CNVDid:CNVD-2022-47340

Trust: 0.6

db:CS-HELPid:SB2022051602

Trust: 0.6

db:CNNVDid:CNNVD-202205-3191

Trust: 0.6

db:VULMONid:CVE-2022-23139

Trust: 0.1

sources: CNVD: CNVD-2022-47340 // VULMON: CVE-2022-23139 // JVNDB: JVNDB-2022-009667 // CNNVD: CNNVD-202205-3191 // NVD: CVE-2022-23139

REFERENCES

url:https://support.zte.com.cn/support/news/loopholeinfodetail.aspx?newsid=1024444

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2022-23139

Trust: 1.4

url:https://www.cybersecurity-help.cz/vdb/sb2022051602

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-23139/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/863.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://github.com/alphabugx/cve-2022-23305

Trust: 0.1

sources: CNVD: CNVD-2022-47340 // VULMON: CVE-2022-23139 // JVNDB: JVNDB-2022-009667 // CNNVD: CNNVD-202205-3191 // NVD: CVE-2022-23139

SOURCES

db:CNVDid:CNVD-2022-47340
db:VULMONid:CVE-2022-23139
db:JVNDBid:JVNDB-2022-009667
db:CNNVDid:CNNVD-202205-3191
db:NVDid:CVE-2022-23139

LAST UPDATE DATE

2024-11-23T22:54:35.160000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2022-47340date:2022-06-24T00:00:00
db:VULMONid:CVE-2022-23139date:2022-05-23T00:00:00
db:JVNDBid:JVNDB-2022-009667date:2023-08-07T08:15:00
db:CNNVDid:CNNVD-202205-3191date:2022-05-24T00:00:00
db:NVDid:CVE-2022-23139date:2024-11-21T06:48:05.017

SOURCES RELEASE DATE

db:CNVDid:CNVD-2022-47340date:2022-06-24T00:00:00
db:VULMONid:CVE-2022-23139date:2022-05-12T00:00:00
db:JVNDBid:JVNDB-2022-009667date:2023-08-07T00:00:00
db:CNNVDid:CNNVD-202205-3191date:2022-05-12T00:00:00
db:NVDid:CVE-2022-23139date:2022-05-12T20:15:15.183