Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
jvnJapan Vulnerability NotesJVN:23771490
HistoryDec 26, 2023 - 12:00 a.m.

JVN#23771490: Multiple vulnerabilities in BUFFALO VR-S1000

2023-12-2600:00:00
Japan Vulnerability Notes
jvn.jp
22
os injection
argument injection
cryptographic key
information disclosure
firmware update
vr-s1000

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.9 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

21.9%

JSON

VR-S1000 provided by BUFFALO INC. contains multiple vulnerabilities listed below.

OS command injection (CWE-78) - CVE-2023-45741

Version Vector Score
CVSS v3 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score: 6.8
CVSS v2 AV:A/AC:L/Au:S/C:P/I:P/A:P Base Score: 5.2

Argument injection (CWE-88) - CVE-2023-46681

Version Vector Score
CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 7.8
CVSS v2 AV:L/AC:L/Au:S/C:P/I:P/A:P Base Score: 4.3

Use of hard-coded cryptographic key (CWE-321) - CVE-2023-46711

Version Vector Score
CVSS v3 CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score: 2.4
CVSS v2 AV:L/AC:M/Au:N/C:P/I:N/A:N Base Score: 1.9

Information disclosure (CWE-200) - CVE-2023-51363

Version Vector Score
CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score: 6.5
CVSS v2 AV:A/AC:L/Au:N/C:P/I:N/A:N Base Score: 3.3

Impact

  • A network-adjacent attacker with access to the product’s web management page may execute an arbitrary OS command - CVE-2023-45741
  • A local attacker who can access to the product’s command line interface may execute an arbitrary command - CVE-2023-46681
  • The password of a specific product user may be cracked - CVE-2023-46711
  • A network-adjacent attacker who can access the product’s web management page may obtain sensitive information - CVE-2023-51363

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.

Products Affected

  • VR-S1000 firmware Ver. 2.37 and earlier

Related

prion 4
cvelist 4
cve 4
nvd 4
prion
prion
Information disclosure
2023-12-26 08:15:00
Hardcoded credentials
2023-12-26 08:15:00
Design/Logic Flaw
2023-12-26 08:15:00
cvelist
cvelist
CVE-2023-51363
2023-12-26 07:30:12
CVE-2023-46711
2023-12-26 07:29:49
CVE-2023-45741
2023-12-26 07:28:42
cve
cve
CVE-2023-46711
2023-12-26 08:15:10
CVE-2023-51363
2023-12-26 08:15:11
CVE-2023-45741
2023-12-26 08:15:10
nvd
nvd
CVE-2023-46711
2023-12-26 08:15:10
CVE-2023-46681
2023-12-26 08:15:10
CVE-2023-45741
2023-12-26 08:15:10

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.9 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

21.9%

JSON
Related for JVN:23771490
prion4cvelist4cve4nvd4