CVE-2022-43466

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-43466
OS command injection vulnerability in Buffalo network devices allows a network-adjacent attacker with an administrative privilege to execute an arbitrary OS command if a specially crafted request is sent to a specific CGI program.

6.8 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://jvn.jp/en/vu/JVNVU97099584/
https://www.buffalo.jp/news/detail/20240131-01.html
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:buffalo:wsr-3200ax4s_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-3200ax4s:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:buffalo:wsr-3200ax4b_firmware:1.25:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-3200ax4b:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:buffalo:wsr-2533dhp2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-2533dhp2:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:buffalo:wsr-a2533dhp2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-a2533dhp2:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:buffalo:wsr-2533dhp3_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-2533dhp3:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:buffalo:wsr-a2533dhp3_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-a2533dhp3:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:buffalo:wsr-2533dhpl2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-2533dhpl2:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:buffalo:wsr-2533dhpls_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-2533dhpls:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:buffalo:wex-1800ax4_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wex-1800ax4:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:buffalo:wex-1800ax4ea_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wex-1800ax4ea:-:*:*:*:*:*:*:*
History

14 Feb 2024, 07:15

Type Values Removed Values Added
Summary
  • (es) Dispositivos de red Buffalo WSR-3200AX4S firmware Ver. 1.26 y anteriores, versión del firmware WSR-3200AX4B. 1.25, versión del firmware WSR-2533DHP2. 1.22 y anteriores, versión del firmware WSR-A2533DHP2. 1.22 y anteriores, versión del firmware WSR-2533DHP3. 1.26 y anteriores, versión del firmware WSR-A2533DHP3. 1.26 y anteriores, versión del firmware WSR-2533DHPL2. 1.03 y anteriores, versión del firmware WSR-2533DHPLS. 1.07 y anteriores, versión del firmware WEX-1800AX4. 1.13 y anteriores, y la versión del firmware WEX-1800AX4EA. 1.13 y anteriores permiten a un atacante adyacente a la red con privilegios administrativos ejecutar un comando arbitrario del sistema operativo si se envía una solicitud especialmente manipulada a un programa CGI específico.
Summary (en) Buffalo network devices WSR-3200AX4S firmware Ver. 1.26 and earlier, WSR-3200AX4B firmware Ver. 1.25, WSR-2533DHP2 firmware Ver. 1.22 and earlier, WSR-A2533DHP2 firmware Ver. 1.22 and earlier, WSR-2533DHP3 firmware Ver. 1.26 and earlier, WSR-A2533DHP3 firmware Ver. 1.26 and earlier, WSR-2533DHPL2 firmware Ver. 1.03 and earlier, WSR-2533DHPLS firmware Ver. 1.07 and earlier, WEX-1800AX4 firmware Ver. 1.13 and earlier, and WEX-1800AX4EA firmware Ver. 1.13 and earlier allows a network-adjacent attacker with an administrative privilege to execute an arbitrary OS command if a specially crafted request is sent to a specific CGI program. (en) OS command injection vulnerability in Buffalo network devices allows a network-adjacent attacker with an administrative privilege to execute an arbitrary OS command if a specially crafted request is sent to a specific CGI program.
References
  • {'url': 'https://jvn.jp/en/vu/JVNVU97099584/index.html', 'tags': ['Third Party Advisory', 'VDB Entry'], 'source': 'vultures@jpcert.or.jp'}
  • {'url': 'https://www.buffalo.jp/news/detail/20221205-01.html', 'tags': ['Patch', 'Vendor Advisory'], 'source': 'vultures@jpcert.or.jp'}
  • () https://jvn.jp/en/vu/JVNVU97099584/ -
  • () https://www.buffalo.jp/news/detail/20240131-01.html -

27 Dec 2022, 17:47

Type Values Removed Values Added
CWE CWE-78
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.8
References (MISC) https://www.buffalo.jp/news/detail/20221205-01.html - (MISC) https://www.buffalo.jp/news/detail/20221205-01.html - Patch, Vendor Advisory
References (MISC) https://jvn.jp/en/vu/JVNVU97099584/index.html - (MISC) https://jvn.jp/en/vu/JVNVU97099584/index.html - Third Party Advisory, VDB Entry
First Time Buffalo wex-1800ax4
Buffalo wex-1800ax4ea Firmware
Buffalo wex-1800ax4 Firmware
Buffalo wsr-a2533dhp2
Buffalo wsr-2533dhpl2 Firmware
Buffalo wsr-a2533dhp2 Firmware
Buffalo wsr-2533dhp3
Buffalo wsr-2533dhp3 Firmware
Buffalo wsr-2533dhpls Firmware
Buffalo wsr-3200ax4b Firmware
Buffalo wsr-2533dhpl2
Buffalo wsr-a2533dhp3
Buffalo wsr-3200ax4s Firmware
Buffalo wsr-3200ax4b
Buffalo wsr-3200ax4s
Buffalo wsr-2533dhpls
Buffalo wsr-2533dhp2 Firmware
Buffalo wsr-a2533dhp3 Firmware
Buffalo
Buffalo wex-1800ax4ea
Buffalo wsr-2533dhp2
CPE cpe:2.3:o:buffalo:wsr-3200ax4s_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-2533dhpls:-:*:*:*:*:*:*:*
cpe:2.3:o:buffalo:wsr-3200ax4b_firmware:1.25:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-3200ax4b:-:*:*:*:*:*:*:*
cpe:2.3:o:buffalo:wex-1800ax4ea_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:buffalo:wsr-2533dhp2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:buffalo:wsr-2533dhpl2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-a2533dhp3:-:*:*:*:*:*:*:*
cpe:2.3:o:buffalo:wsr-2533dhpls_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-2533dhp3:-:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wex-1800ax4:-:*:*:*:*:*:*:*
cpe:2.3:o:buffalo:wsr-a2533dhp3_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:buffalo:wex-1800ax4_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:buffalo:wsr-a2533dhp2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-3200ax4s:-:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wex-1800ax4ea:-:*:*:*:*:*:*:*
cpe:2.3:o:buffalo:wsr-2533dhp3_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-2533dhp2:-:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-a2533dhp2:-:*:*:*:*:*:*:*
cpe:2.3:h:buffalo:wsr-2533dhpl2:-:*:*:*:*:*:*:*

19 Dec 2022, 04:00

Type Values Removed Values Added
New CVE
Information

Published : 2022-12-19 03:15

Updated : 2024-02-14 07:15

NVD link : CVE-2022-43466

Mitre link : CVE-2022-43466

CVE.ORG link : CVE-2022-43466

JSON object : View

Products Affected

buffalo

  • wsr-2533dhpls
  • wex-1800ax4ea_firmware
  • wsr-2533dhp2_firmware
  • wex-1800ax4
  • wsr-3200ax4s_firmware
  • wsr-a2533dhp3_firmware
  • wsr-a2533dhp2
  • wex-1800ax4ea
  • wsr-2533dhp3_firmware
  • wsr-2533dhp2
  • wsr-2533dhpl2
  • wsr-3200ax4b_firmware
  • wsr-2533dhpls_firmware
  • wsr-a2533dhp3
  • wsr-3200ax4b
  • wsr-3200ax4s
  • wsr-a2533dhp2_firmware
  • wex-1800ax4_firmware
  • wsr-2533dhp3
  • wsr-2533dhpl2_firmware
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')