Details of VAR-202208-1701

ID

VAR-202208-1701

CVE

CVE-2022-38132

TITLE

Linksys MR8300 Operating System Command Injection Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2022-59208 // CNNVD: CNNVD-202208-3805

DESCRIPTION

Command injection vulnerability in Linksys MR8300 router while Registration to DDNS Service. By specifying username and password, an attacker connected to the router's web interface can execute arbitrary OS commands. The username and password fields are not sanitized correctly and are used as URL construction arguments, allowing URL redirection to an arbitrary server, downloading an arbitrary script file, and eventually executing the file in the device. This issue affects: Linksys MR8300 Router 1.0. (DoS) It may be in a state. Attackers can use this vulnerability to execute arbitrary operating system commands

Trust: 2.16

sources: NVD: CVE-2022-38132 // JVNDB: JVNDB-2022-015708 // CNVD: CNVD-2022-59208

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-59208

AFFECTED PRODUCTS

vendor:	linksys	model:	mr8300	scope:	eq	version:	1.0	Trust: 1.6
vendor:	シスコシステムズ linksys	model:	mr8300	scope:	eq	version:	mr8300 firmware 1.0	Trust: 0.8
vendor:	シスコシステムズ linksys	model:	mr8300	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ linksys	model:	mr8300	scope:	eq	version:	-	Trust: 0.8

sources: CNVD: CNVD-2022-59208 // JVNDB: JVNDB-2022-015708 // NVD: CVE-2022-38132

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-38132
value:	HIGH
Trust: 1.0
info@cybellum.com:	CVE-2022-38132
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-38132
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2022-59208
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202208-3805
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2022-59208
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:L/AC:L/AU:M/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	2.5
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-38132
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.0
impactScore:	6.0
version:	3.1
Trust: 1.0
info@cybellum.com:	CVE-2022-38132
baseSeverity:	HIGH
baseScore:	8.2
vectorString:	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.5
impactScore:	6.0
version:	3.1
Trust: 1.0
NVD:	CVE-2022-38132
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-59208 // JVNDB: JVNDB-2022-015708 // CNNVD: CNNVD-202208-3805 // NVD: CVE-2022-38132 // NVD: CVE-2022-38132

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	OS Command injection (CWE-78) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-015708 // NVD: CVE-2022-38132

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202208-3805

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202208-3805

PATCH

title:	Patch for Linksys MR8300 Operating System Command Injection Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/347406	Trust: 0.6
title:	Linksys MR8300 Fixes for operating system command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=205292	Trust: 0.6

sources: CNVD: CNVD-2022-59208 // CNNVD: CNNVD-202208-3805

EXTERNAL IDS

db:	NVD	id:	CVE-2022-38132	Trust: 3.8
db:	JVNDB	id:	JVNDB-2022-015708	Trust: 0.8
db:	CNVD	id:	CNVD-2022-59208	Trust: 0.6
db:	CNNVD	id:	CNNVD-202208-3805	Trust: 0.6

sources: CNVD: CNVD-2022-59208 // JVNDB: JVNDB-2022-015708 // CNNVD: CNNVD-202208-3805 // NVD: CVE-2022-38132

REFERENCES

url:	https://downloads.linksys.com/support/assets/releasenotes/mr8300_1.1.10.210186_customer_releasenotes.txt	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2022-38132	Trust: 2.0
url:	https://cxsecurity.com/cveshow/cve-2022-38132/	Trust: 0.6

sources: CNVD: CNVD-2022-59208 // JVNDB: JVNDB-2022-015708 // CNNVD: CNNVD-202208-3805 // NVD: CVE-2022-38132

SOURCES

db:	CNVD	id:	CNVD-2022-59208
db:	JVNDB	id:	JVNDB-2022-015708
db:	CNNVD	id:	CNNVD-202208-3805
db:	NVD	id:	CVE-2022-38132

LAST UPDATE DATE

2024-08-14T14:24:36.645000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-59208	date:	2022-08-25T00:00:00
db:	JVNDB	id:	JVNDB-2022-015708	date:	2023-09-28T08:07:00
db:	CNNVD	id:	CNNVD-202208-3805	date:	2022-08-30T00:00:00
db:	NVD	id:	CVE-2022-38132	date:	2022-08-29T15:52:00.367

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-59208	date:	2022-08-25T00:00:00
db:	JVNDB	id:	JVNDB-2022-015708	date:	2023-09-28T00:00:00
db:	CNNVD	id:	CNNVD-202208-3805	date:	2022-08-23T00:00:00
db:	NVD	id:	CVE-2022-38132	date:	2022-08-24T00:15:08.150