Details of VAR-202309-2529

ID

VAR-202309-2529

CVE

CVE-2023-43137

TITLE

TP-LINK Technologies of TL-ER5120G Command injection vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2023-012825

DESCRIPTION

TPLINK TL-ER5120G 4.0 2.0.0 Build 210817 Rel.80868n has a command injection vulnerability, when an attacker adds ACL rules after authentication, and the rule name parameter has injection points. TP-LINK Technologies of TL-ER5120G Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TP-LINK TL-ER5120G is a multi-WAN port Gigabit commercial router from China TP-LINK Company. TP-LINK TL-ER5120G has a command execution vulnerability. The vulnerability is due to the failure of the rule name to correctly filter special characters, commands, etc. in the constructed command. An attacker could exploit this vulnerability to cause arbitrary command execution

Trust: 2.16

sources: NVD: CVE-2023-43137 // JVNDB: JVNDB-2023-012825 // CNVD: CNVD-2024-02185

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-02185

AFFECTED PRODUCTS

vendor:	tp link	model:	tl-er5120g	scope:	eq	version:	2.0.0	Trust: 1.0
vendor:	tp link	model:	tl-er5120g	scope:	eq	version:	-	Trust: 0.8
vendor:	tp link	model:	tl-er5120g	scope:	eq	version:	tl-er5120g firmware 2.0.0	Trust: 0.8
vendor:	tp link	model:	tl-er5120g	scope:	-	version:	-	Trust: 0.8
vendor:	tp link	model:	tl-er5120g build rel.80868n	scope:	eq	version:	4.02.0.0210817	Trust: 0.6

sources: CNVD: CNVD-2024-02185 // JVNDB: JVNDB-2023-012825 // NVD: CVE-2023-43137

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-43137
value:	HIGH
Trust: 1.0
NVD:	CVE-2023-43137
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2024-02185
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2024-02185
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2023-43137
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2023-43137
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2024-02185 // JVNDB: JVNDB-2023-012825 // NVD: CVE-2023-43137

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.0
problemtype:	Command injection (CWE-77) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-012825 // NVD: CVE-2023-43137

PATCH

title:

Patch for TP-LINK TL-ER5120G command execution vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/515666

Trust: 0.6

sources: CNVD: CNVD-2024-02185

EXTERNAL IDS

db:	NVD	id:	CVE-2023-43137	Trust: 3.2
db:	JVNDB	id:	JVNDB-2023-012825	Trust: 0.8
db:	CNVD	id:	CNVD-2024-02185	Trust: 0.6

sources: CNVD: CNVD-2024-02185 // JVNDB: JVNDB-2023-012825 // NVD: CVE-2023-43137

REFERENCES

url:	https://github.com/7r4c4r/cve/blob/main/tplink-tl-er5120g/command%20injection/01/command%20injection01.md	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2023-43137	Trust: 0.8

sources: CNVD: CNVD-2024-02185 // JVNDB: JVNDB-2023-012825 // NVD: CVE-2023-43137

SOURCES

db:	CNVD	id:	CNVD-2024-02185
db:	JVNDB	id:	JVNDB-2023-012825
db:	NVD	id:	CVE-2023-43137

LAST UPDATE DATE

2024-08-14T14:16:57.871000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-02185	date:	2024-01-12T00:00:00
db:	JVNDB	id:	JVNDB-2023-012825	date:	2023-12-19T06:42:00
db:	NVD	id:	CVE-2023-43137	date:	2023-09-22T02:11:55.050

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-02185	date:	2024-01-12T00:00:00
db:	JVNDB	id:	JVNDB-2023-012825	date:	2023-12-19T00:00:00
db:	NVD	id:	CVE-2023-43137	date:	2023-09-20T20:15:12.250