CVE-2022-24990

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-24990
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
http://packetstormsecurity.com/files/172904/TerraMaster-TOS-4.2.29-Remote-Code-Execution.html
https://forum.terra-master.com/en/viewforum.php?f=28 Issue Tracking Release Notes
https://github.com/0xf4n9x/CVE-2022-24990 Exploit Third Party Advisory
https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/ Exploit Third Party Advisory
https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732 Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:terra-master:terramaster_operating_system:*:*:*:*:*:*:*:*
OR cpe:2.3:h:terra-master:f2-210:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:f2-221:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:f2-223:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:f2-422:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:f2-423:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:f4-421:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:f4-422:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:f4-423:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:f5-221:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:f5-422:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:t12-423:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:t12-450:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:t6-423:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:t9-423:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:t9-450:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u12-322-9100:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u12-423:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u12-722-2224:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u16-322-9100:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u16-722-2224:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u24-722-2224:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u4-111:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u4-211:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u4-423:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u8-111:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u8-322-9100:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u8-423:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u8-522-9400:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u8-722-2224:-:*:*:*:*:*:*:*
History

08 Aug 2023, 14:21

Type Values Removed Values Added
CWE NVD-CWE-noinfo CWE-306

14 Jun 2023, 00:15

Type Values Removed Values Added
References
  • (MISC) http://packetstormsecurity.com/files/172904/TerraMaster-TOS-4.2.29-Remote-Code-Execution.html -

16 Feb 2023, 14:24

Type Values Removed Values Added
First Time Terra-master u16-322-9100
Terra-master f2-221
Terra-master f4-423
Terra-master u12-722-2224
Terra-master f4-421
Terra-master f2-223
Terra-master t12-423
Terra-master f4-422
Terra-master terramaster Operating System
Terra-master u4-211
Terra-master t9-423
Terra-master u12-322-9100
Terra-master t6-423
Terra-master u8-322-9100
Terra-master u16-722-2224
Terra-master f5-422
Terra-master f5-221
Terra-master
Terra-master u8-423
Terra-master f2-210
Terra-master u8-722-2224
Terra-master t12-450
Terra-master f2-422
Terra-master u8-522-9400
Terra-master u8-111
Terra-master f2-423
Terra-master u4-423
Terra-master t9-450
Terra-master u24-722-2224
Terra-master u12-423
Terra-master u4-111
CWE NVD-CWE-noinfo
CPE cpe:2.3:h:terra-master:u16-322-9100:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:t12-450:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u8-423:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:f2-223:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u4-211:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:f4-422:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:t9-423:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u4-423:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:f2-422:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:f2-221:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u12-722-2224:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u8-522-9400:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u12-322-9100:-:*:*:*:*:*:*:*
cpe:2.3:o:terra-master:terramaster_operating_system:*:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:f5-221:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:t6-423:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:f5-422:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u8-322-9100:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:f4-421:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u8-722-2224:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:t12-423:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u4-111:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:f4-423:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u24-722-2224:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:t9-450:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u12-423:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:f2-423:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u16-722-2224:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:u8-111:-:*:*:*:*:*:*:*
cpe:2.3:h:terra-master:f2-210:-:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5
References (MISC) https://github.com/0xf4n9x/CVE-2022-24990 - (MISC) https://github.com/0xf4n9x/CVE-2022-24990 - Exploit, Third Party Advisory
References (MISC) https://forum.terra-master.com/en/viewforum.php?f=28 - (MISC) https://forum.terra-master.com/en/viewforum.php?f=28 - Issue Tracking, Release Notes
References (MISC) https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/ - (MISC) https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/ - Exploit, Third Party Advisory
References (MISC) https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732 - (MISC) https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732 - Third Party Advisory

07 Feb 2023, 18:24

Type Values Removed Values Added
New CVE
Information

Published : 2023-02-07 18:15

Updated : 2023-12-10 14:48

NVD link : CVE-2022-24990

Mitre link : CVE-2022-24990

CVE.ORG link : CVE-2022-24990

JSON object : View

Products Affected

terra-master

  • t6-423
  • u4-211
  • u8-722-2224
  • u16-322-9100
  • f2-221
  • u16-722-2224
  • u24-722-2224
  • u8-111
  • t9-423
  • f5-422
  • f4-422
  • t9-450
  • u8-322-9100
  • f2-210
  • u8-522-9400
  • f4-423
  • f2-223
  • u4-423
  • f4-421
  • terramaster_operating_system
  • u12-322-9100
  • u4-111
  • t12-423
  • u12-423
  • f2-422
  • u8-423
  • f5-221
  • t12-450
  • f2-423
  • u12-722-2224
CWE
CWE-306

Missing Authentication for Critical Function