| ଫିଲ୍ଡ | ସୃଷ୍ଟି ହୋଇଛି
08/27/2024 01:39 PM | ଅଦ୍ୟତନ 1/2
08/28/2024 04:29 PM | ଅଦ୍ୟତନ 2/2
08/29/2024 06:36 PM |
|---|
| software_vendor | D-Link | D-Link | D-Link |
| software_name | DNS-120/DNR-202L/DNS-315L/DNS-320/DNS-320L/DNS-320LW/DNS-321/DNR-322L/DNS-323/DNS-325/DNS-326/DNS-327L/DNR-326/DNS-340L/DNS-343/DNS-345/DNS-726-4/DNS-1100-4/DNS-1200-05/DNS-1550-04 | DNS-120/DNR-202L/DNS-315L/DNS-320/DNS-320L/DNS-320LW/DNS-321/DNR-322L/DNS-323/DNS-325/DNS-326/DNS-327L/DNR-326/DNS-340L/DNS-343/DNS-345/DNS-726-4/DNS-1100-4/DNS-1200-05/DNS-1550-04 | DNS-120/DNR-202L/DNS-315L/DNS-320/DNS-320L/DNS-320LW/DNS-321/DNR-322L/DNS-323/DNS-325/DNS-326/DNS-327L/DNR-326/DNS-340L/DNS-343/DNS-345/DNS-726-4/DNS-1100-4/DNS-1200-05/DNS-1550-04 |
| software_version | <=20240814 | <=20240814 | <=20240814 |
| software_file | /cgi-bin/hd_config.cgi | /cgi-bin/hd_config.cgi | /cgi-bin/hd_config.cgi |
| software_function | cgi_FMT_R12R5_1st_DiskMGR | cgi_FMT_R12R5_1st_DiskMGR | cgi_FMT_R12R5_1st_DiskMGR |
| software_argument | f_source_dev | f_source_dev | f_source_dev |
| vulnerability_cwe | CWE-77 (ବିସ୍ତାରିତ ଅଧିକାର) | CWE-77 (ବିସ୍ତାରିତ ଅଧିକାର) | CWE-77 (ବିସ୍ତାରିତ ଅଧିକାର) |
| vulnerability_risk | 2 | 2 | 2 |
| cvss3_vuldb_av | N | N | N |
| cvss3_vuldb_ac | L | L | L |
| cvss3_vuldb_ui | N | N | N |
| cvss3_vuldb_s | U | U | U |
| cvss3_vuldb_c | L | L | L |
| cvss3_vuldb_i | L | L | L |
| cvss3_vuldb_a | L | L | L |
| cvss3_vuldb_e | P | P | P |
| cvss3_vuldb_rl | W | W | W |
| cvss3_vuldb_rc | C | C | C |
| advisory_identifier | SAP10383 | SAP10383 | SAP10383 |
| advisory_url | https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R12R5_1st_DiskMGR.md | https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R12R5_1st_DiskMGR.md | https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R12R5_1st_DiskMGR.md |
| advisory_confirm_url | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 |
| exploit_availability | 1 | 1 | 1 |
| exploit_publicity | 1 | 1 | 1 |
| exploit_url | https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R12R5_1st_DiskMGR.md | https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R12R5_1st_DiskMGR.md | https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R12R5_1st_DiskMGR.md |
| countermeasure_name | ବିକଳ୍ପ | ବିକଳ୍ପ | ବିକଳ୍ପ |
| source_cve | CVE-2024-8213 | CVE-2024-8213 | CVE-2024-8213 |
| cna_responsible | VulDB | VulDB | VulDB |
| response_summary | Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced. | Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced. | Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced. |
| cna_eol | 1 | 1 | 1 |
| cvss2_vuldb_av | N | N | N |
| cvss2_vuldb_ac | L | L | L |
| cvss2_vuldb_ci | P | P | P |
| cvss2_vuldb_ii | P | P | P |
| cvss2_vuldb_ai | P | P | P |
| cvss2_vuldb_e | POC | POC | POC |
| cvss2_vuldb_rc | C | C | C |
| cvss2_vuldb_rl | W | W | W |
| cvss4_vuldb_av | N | N | N |
| cvss4_vuldb_ac | L | L | L |
| cvss4_vuldb_ui | N | N | N |
| cvss4_vuldb_vc | L | L | L |
| cvss4_vuldb_vi | L | L | L |
| cvss4_vuldb_va | L | L | L |
| cvss4_vuldb_e | P | P | P |
| cvss2_vuldb_au | S | S | S |
| cvss3_vuldb_pr | L | L | L |
| cvss4_vuldb_at | N | N | N |
| cvss4_vuldb_pr | L | L | L |
| cvss4_vuldb_sc | N | N | N |
| cvss4_vuldb_si | N | N | N |
| cvss4_vuldb_sa | N | N | N |
| cvss2_vuldb_basescore | 6.5 | 6.5 | 6.5 |
| cvss2_vuldb_tempscore | 5.6 | 5.6 | 5.6 |
| cvss3_vuldb_basescore | 6.3 | 6.3 | 6.3 |
| cvss3_vuldb_tempscore | 5.8 | 5.8 | 5.8 |
| cvss3_meta_basescore | 6.3 | 6.3 | 7.5 |
| cvss3_meta_tempscore | 5.8 | 6.0 | 7.3 |
| cvss4_vuldb_bscore | 5.3 | 5.3 | 5.3 |
| cvss4_vuldb_btscore | 2.1 | 2.1 | 2.1 |
| advisory_date | 1724709600 (08/27/2024) | 1724709600 (08/27/2024) | 1724709600 (08/27/2024) |
| price_0day | $5k-$25k | $5k-$25k | $5k-$25k |
| cve_nvd_summary | | A vulnerability classified as critical has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected is the function cgi_FMT_R12R5_1st_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced. | A vulnerability classified as critical has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected is the function cgi_FMT_R12R5_1st_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced. |
| cve_nvd_summaryes | | Una vulnerabilidad clasificada como crítica ha sido encontrada en D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS- 325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 y DNS-1550-04 en adelante a 20240814. La función cgi_FMT_R12R5_1st_DiskMGR del fichero /cgi-bin/hd_config.cgi es afectada por la vulnerabilidad. La manipulación del argumento f_source_dev conduce a la inyección de comandos. Es posible lanzar el ataque de forma remota. El exploit ha sido divulgado al público y puede utilizarse. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el fabricante. NOTA: Se contactó primeramente con el proveedor y se confirmó que el producto ha llegado al final de su vida útil. Debería retirarse y reemplazarse. | Una vulnerabilidad clasificada como crítica ha sido encontrada en D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS- 325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 y DNS-1550-04 en adelante a 20240814. La función cgi_FMT_R12R5_1st_DiskMGR del fichero /cgi-bin/hd_config.cgi es afectada por la vulnerabilidad. La manipulación del argumento f_source_dev conduce a la inyección de comandos. Es posible lanzar el ataque de forma remota. El exploit ha sido divulgado al público y puede utilizarse. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el fabricante. NOTA: Se contactó primeramente con el proveedor y se confirmó que el producto ha llegado al final de su vida útil. Debería retirarse y reemplazarse. |
| cvss3_cna_av | | N | N |
| cvss3_cna_ac | | L | L |
| cvss3_cna_pr | | L | L |
| cvss3_cna_ui | | N | N |
| cvss3_cna_s | | U | U |
| cvss3_cna_c | | L | L |
| cvss3_cna_i | | L | L |
| cvss3_cna_a | | L | L |
| cvss3_cna_basescore | | 6.3 | 6.3 |
| cvss2_cna_av | | N | N |
| cvss2_cna_ac | | L | L |
| cvss2_cna_au | | S | S |
| cvss2_cna_ci | | P | P |
| cvss2_cna_ii | | P | P |
| cvss2_cna_ai | | P | P |
| cvss2_cna_basescore | | 6.5 | 6.5 |
| cvss3_nvd_av | | | N |
| cvss3_nvd_ac | | | L |
| cvss3_nvd_pr | | | N |
| cvss3_nvd_ui | | | N |
| cvss3_nvd_s | | | U |
| cvss3_nvd_c | | | H |
| cvss3_nvd_i | | | H |
| cvss3_nvd_a | | | H |
| cvss3_nvd_basescore | | | 9.8 |