ID

VAR-202206-0754


CVE

CVE-2022-23138


TITLE

ZTE  of  mf297d  Insufficient Random Value Usage Vulnerability in Firmware

Trust: 0.8

sources: JVNDB: JVNDB-2022-011120

DESCRIPTION

ZTE's MF297D product has cryptographic issues vulnerability. Due to the use of weak random values, the security of the device is reduced, and it may face the risk of attack. ZTE of mf297d A vulnerability exists in the firmware regarding the use of insufficient random values.Information may be obtained. ZTE MF297D is a 4G wireless router made by China ZTE Corporation. An attacker could exploit this vulnerability to obtain sensitive information

Trust: 2.25

sources: NVD: CVE-2022-23138 // JVNDB: JVNDB-2022-011120 // CNVD: CNVD-2023-39042 // VULMON: CVE-2022-23138

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2023-39042

AFFECTED PRODUCTS

vendor:ztemodel:mf297dscope: - version: -

Trust: 1.4

vendor:ztemodel:mf297dscope:eqversion:mf297d_nordic1_b05

Trust: 1.0

vendor:ztemodel:mf297dscope:eqversion:mf297d firmware mf297d nordic1 b05

Trust: 0.8

vendor:ztemodel:mf297dscope:eqversion: -

Trust: 0.8

sources: CNVD: CNVD-2023-39042 // JVNDB: JVNDB-2022-011120 // NVD: CVE-2022-23138

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-23138
value: HIGH

Trust: 1.0

NVD: CVE-2022-23138
value: HIGH

Trust: 0.8

CNVD: CNVD-2023-39042
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202206-898
value: HIGH

Trust: 0.6

VULMON: CVE-2022-23138
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2022-23138
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2023-39042
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2022-23138
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2022-23138
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2023-39042 // VULMON: CVE-2022-23138 // JVNDB: JVNDB-2022-011120 // CNNVD: CNNVD-202206-898 // NVD: CVE-2022-23138

PROBLEMTYPE DATA

problemtype:CWE-330

Trust: 1.0

problemtype:Insufficient use of random values (CWE-330) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-011120 // NVD: CVE-2022-23138

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202206-898

TYPE

security feature problem

Trust: 0.6

sources: CNNVD: CNNVD-202206-898

PATCH

title:Patch for ZTE MF297D Information Disclosure Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/428811

Trust: 0.6

title:ZTE MF297D Fixing measures for security feature vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=196468

Trust: 0.6

sources: CNVD: CNVD-2023-39042 // CNNVD: CNNVD-202206-898

EXTERNAL IDS

db:NVDid:CVE-2022-23138

Trust: 3.9

db:ZTEid:1024624

Trust: 2.5

db:JVNDBid:JVNDB-2022-011120

Trust: 0.8

db:CNVDid:CNVD-2023-39042

Trust: 0.6

db:CNNVDid:CNNVD-202206-898

Trust: 0.6

db:VULMONid:CVE-2022-23138

Trust: 0.1

sources: CNVD: CNVD-2023-39042 // VULMON: CVE-2022-23138 // JVNDB: JVNDB-2022-011120 // CNNVD: CNNVD-202206-898 // NVD: CVE-2022-23138

REFERENCES

url:https://support.zte.com.cn/support/news/loopholeinfodetail.aspx?newsid=1024624

Trust: 2.5

url:https://cxsecurity.com/cveshow/cve-2022-23138/

Trust: 1.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-23138

Trust: 0.8

url:https://cwe.mitre.org/data/definitions/330.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2023-39042 // VULMON: CVE-2022-23138 // JVNDB: JVNDB-2022-011120 // CNNVD: CNNVD-202206-898 // NVD: CVE-2022-23138

SOURCES

db:CNVDid:CNVD-2023-39042
db:VULMONid:CVE-2022-23138
db:JVNDBid:JVNDB-2022-011120
db:CNNVDid:CNNVD-202206-898
db:NVDid:CVE-2022-23138

LAST UPDATE DATE

2024-11-23T23:03:46.984000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2023-39042date:2023-05-19T00:00:00
db:VULMONid:CVE-2022-23138date:2022-06-15T00:00:00
db:JVNDBid:JVNDB-2022-011120date:2023-08-18T08:23:00
db:CNNVDid:CNNVD-202206-898date:2022-06-16T00:00:00
db:NVDid:CVE-2022-23138date:2024-11-21T06:48:04.897

SOURCES RELEASE DATE

db:CNVDid:CNVD-2023-39042date:2023-05-19T00:00:00
db:VULMONid:CVE-2022-23138date:2022-06-09T00:00:00
db:JVNDBid:JVNDB-2022-011120date:2023-08-18T00:00:00
db:CNNVDid:CNNVD-202206-898date:2022-06-09T00:00:00
db:NVDid:CVE-2022-23138date:2022-06-09T15:15:09.680