ID

VAR-202405-0129


CVE

CVE-2024-4497


TITLE

Tenda i21 formexeCommand function buffer overflow vulnerability

Trust: 0.6

sources: CNVD: CNVD-2024-22403

DESCRIPTION

A vulnerability was found in Tenda i21 1.0.0.14(4656). It has been declared as critical. This vulnerability affects the function formexeCommand. The manipulation of the argument cmdinput leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-263086 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Tenda i21 is a wireless access point of China's Tenda Company. The vulnerability is caused by the parameter cmdinput of the function formexeCommand failing to correctly verify the length of the input data. Remote attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial of service attack

Trust: 1.44

sources: NVD: CVE-2024-4497 // CNVD: CNVD-2024-22403

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2024-22403

AFFECTED PRODUCTS

vendor:tendamodel:i21scope:eqversion:1.0.0.14(4656)

Trust: 0.6

sources: CNVD: CNVD-2024-22403

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com: CVE-2024-4497
value: HIGH

Trust: 1.0

CNVD: CNVD-2024-22403
value: HIGH

Trust: 0.6

cna@vuldb.com:
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

CNVD: CNVD-2024-22403
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

cna@vuldb.com:
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: CNVD: CNVD-2024-22403 // NVD: CVE-2024-4497

PROBLEMTYPE DATA

problemtype:CWE-121

Trust: 1.0

sources: NVD: CVE-2024-4497

EXTERNAL IDS

db:NVDid:CVE-2024-4497

Trust: 1.6

db:VULDBid:263086

Trust: 1.0

db:CNVDid:CNVD-2024-22403

Trust: 0.6

sources: CNVD: CNVD-2024-22403 // NVD: CVE-2024-4497

REFERENCES

url:https://github.com/abcdefg-png/iot-vulnerable/blob/main/tenda/i/i21/formexecommand.md

Trust: 1.0

url:https://vuldb.com/?ctiid.263086

Trust: 1.0

url:https://vuldb.com/?id.263086

Trust: 1.0

url:https://vuldb.com/?submit.323607

Trust: 1.0

url:https://www.cnnvd.org.cn/home/globalsearch?keyword=cve-2024-4497

Trust: 0.6

sources: CNVD: CNVD-2024-22403 // NVD: CVE-2024-4497

SOURCES

db:CNVDid:CNVD-2024-22403
db:NVDid:CVE-2024-4497

LAST UPDATE DATE

2024-05-17T23:01:30.689000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2024-22403date:2024-05-14T00:00:00
db:NVDid:CVE-2024-4497date:2024-05-17T02:40:25.347

SOURCES RELEASE DATE

db:CNVDid:CNVD-2024-22403date:2024-05-11T00:00:00
db:NVDid:CVE-2024-4497date:2024-05-05T07:15:06.463