CVE-2022-43443

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-43443
OS command injection vulnerability in Buffalo network devices allows an network-adjacent attacker to execute an arbitrary OS command if a specially crafted request is sent to the management page.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://jvn.jp/en/vu/JVNVU97099584/
https://www.buffalo.jp/news/detail/20240131-01.html
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:buffalo:wsr-3200ax4s_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-3200ax4s:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:buffalo:wsr-3200ax4b_firmware:1.25:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-3200ax4b:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:buffalo:wsr-2533dhp2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-2533dhp2:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:buffalo:wsr-a2533dhp2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-a2533dhp2:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:buffalo:wsr-2533dhp3_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-2533dhp3:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:buffalo:wsr-a2533dhp3_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-a2533dhp3:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:buffalo:wsr-2533dhpl2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-2533dhpl2:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:buffalo:wsr-2533dhpls_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-2533dhpls:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:buffalo:wsr-2533dhp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-2533dhp:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:buffalo:wsr-2533dhpl_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-2533dhpl:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND
cpe:2.3:o:buffalo:wcr-1166ds_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wcr-1166ds:-:*:*:*:*:*:*:*
History

14 Feb 2024, 07:15

Type Values Removed Values Added
References
  • {'url': 'https://jvn.jp/en/vu/JVNVU97099584/index.html', 'tags': ['Third Party Advisory', 'VDB Entry'], 'source': 'vultures@jpcert.or.jp'}
  • {'url': 'https://www.buffalo.jp/news/detail/20221205-01.html', 'tags': ['Patch', 'Vendor Advisory'], 'source': 'vultures@jpcert.or.jp'}
  • () https://jvn.jp/en/vu/JVNVU97099584/ -
  • () https://www.buffalo.jp/news/detail/20240131-01.html -
Summary
  • (es) Dispositivos de red Buffalo WSR-3200AX4S firmware Ver. 1.26 y anteriores, versión del firmware WSR-3200AX4B. 1.25, versión del firmware WSR-2533DHP. 1.08 y anteriores, versión del firmware WSR-2533DHP2. 1.22 y anteriores, versión del firmware WSR-A2533DHP2. 1.22 y anteriores, versión del firmware WSR-2533DHP3. 1.26 y anteriores, versión del firmware WSR-A2533DHP3. 1.26 y anteriores, versión del firmware WSR-2533DHPL. 1.08 y anteriores, versión del firmware WSR-2533DHPL2. 1.03 y anteriores, versión del firmware WSR-2533DHPLS. 1.07 y anteriores, y la versión del firmware WCR-1166DS. 1.34 y anteriores permiten a un atacante adyacente a la red ejecutar un comando arbitrario del sistema operativo si se envía una solicitud especialmente manipulada a la página de administración.
Summary (en) Buffalo network devices WSR-3200AX4S firmware Ver. 1.26 and earlier, WSR-3200AX4B firmware Ver. 1.25, WSR-2533DHP firmware Ver. 1.08 and earlier, WSR-2533DHP2 firmware Ver. 1.22 and earlier, WSR-A2533DHP2 firmware Ver. 1.22 and earlier, WSR-2533DHP3 firmware Ver. 1.26 and earlier, WSR-A2533DHP3 firmware Ver. 1.26 and earlier, WSR-2533DHPL firmware Ver. 1.08 and earlier, WSR-2533DHPL2 firmware Ver. 1.03 and earlier, WSR-2533DHPLS firmware Ver. 1.07 and earlier, and WCR-1166DS firmware Ver. 1.34 and earlier allows an network-adjacent attacker to execute an arbitrary OS command if a specially crafted request is sent to the management page. (en) OS command injection vulnerability in Buffalo network devices allows an network-adjacent attacker to execute an arbitrary OS command if a specially crafted request is sent to the management page.

27 Dec 2022, 17:46

Type Values Removed Values Added
References (MISC) https://www.buffalo.jp/news/detail/20221205-01.html - (MISC) https://www.buffalo.jp/news/detail/20221205-01.html - Patch, Vendor Advisory
References (MISC) https://jvn.jp/en/vu/JVNVU97099584/index.html - (MISC) https://jvn.jp/en/vu/JVNVU97099584/index.html - Third Party Advisory, VDB Entry
CWE CWE-78
CPE cpe:2.3:o:buffalo:wsr-3200ax4s_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-2533dhpls:-:*:*:*:*:*:*:*
cpe:2.3:o:buffalo:wsr-3200ax4b_firmware:1.25:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-3200ax4b:-:*:*:*:*:*:*:*
cpe:2.3:o:buffalo:wsr-2533dhp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-2533dhpl:-:*:*:*:*:*:*:*
cpe:2.3:o:buffalo:wsr-2533dhp2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:buffalo:wsr-2533dhpl2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:buffalo:wcr-1166ds_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-a2533dhp3:-:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wcr-1166ds:-:*:*:*:*:*:*:*
cpe:2.3:o:buffalo:wsr-2533dhpls_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-2533dhp3:-:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-2533dhp:-:*:*:*:*:*:*:*
cpe:2.3:o:buffalo:wsr-a2533dhp3_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:buffalo:wsr-a2533dhp2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-3200ax4s:-:*:*:*:*:*:*:*
cpe:2.3:o:buffalo:wsr-2533dhp3_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-2533dhp2:-:*:*:*:*:*:*:*
cpe:2.3:o:buffalo:wsr-2533dhpl_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-a2533dhp2:-:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-2533dhpl2:-:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.8
First Time Buffalo wsr-2533dhp Firmware
Buffalo wsr-a2533dhp2
Buffalo wsr-2533dhpl2 Firmware
Buffalo wsr-a2533dhp2 Firmware
Buffalo wcr-1166ds Firmware
Buffalo wsr-2533dhp3
Buffalo wsr-2533dhp3 Firmware
Buffalo wsr-2533dhpls Firmware
Buffalo wsr-3200ax4b Firmware
Buffalo wsr-2533dhpl2
Buffalo wsr-a2533dhp3
Buffalo wsr-3200ax4s Firmware
Buffalo wsr-3200ax4b
Buffalo wsr-3200ax4s
Buffalo wsr-2533dhp
Buffalo wsr-2533dhpls
Buffalo wsr-2533dhpl Firmware
Buffalo wsr-2533dhp2 Firmware
Buffalo wcr-1166ds
Buffalo wsr-a2533dhp3 Firmware
Buffalo
Buffalo wsr-2533dhpl
Buffalo wsr-2533dhp2

19 Dec 2022, 04:00

Type Values Removed Values Added
New CVE
Information

Published : 2022-12-19 03:15

Updated : 2024-02-14 07:15

NVD link : CVE-2022-43443

Mitre link : CVE-2022-43443

CVE.ORG link : CVE-2022-43443

JSON object : View

Products Affected

buffalo

  • wcr-1166ds
  • wsr-2533dhpls
  • wsr-2533dhpl
  • wsr-2533dhp2_firmware
  • wsr-2533dhp_firmware
  • wsr-2533dhp
  • wsr-3200ax4s_firmware
  • wsr-2533dhpl_firmware
  • wsr-a2533dhp3_firmware
  • wsr-a2533dhp2
  • wcr-1166ds_firmware
  • wsr-2533dhp3_firmware
  • wsr-2533dhp2
  • wsr-2533dhpl2
  • wsr-3200ax4b_firmware
  • wsr-2533dhpls_firmware
  • wsr-a2533dhp3
  • wsr-3200ax4b
  • wsr-3200ax4s
  • wsr-a2533dhp2_firmware
  • wsr-2533dhp3
  • wsr-2533dhpl2_firmware
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')