Lucene search

[email protected]NVD:CVE-2022-24655

HistoryMar 18, 2022 - 11:15 a.m.

CVE-2022-24655

2022-03-1811:15:08

CWE-787

[email protected]

web.nvd.nist.gov

cve-2022-24655

vulnerability

upnpd

netgear

execution of arbitrary code

authentication.

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

54.5%

JSON

A stack overflow vulnerability exists in the upnpd service in Netgear EX6100v1 201.0.2.28, CAX80 2.1.2.6, and DC112A 1.0.0.62, which may lead to the execution of arbitrary code without authentication.

Affected configurations

Nvd

Node

netgearex6100_firmwareMatch201.0.2.28

AND

netgearex6100Match-

Node

netgearex6200_firmware

AND

netgearex6200Match-

Node

netgearcax80_firmwareMatch2.1.2.6

AND

netgearcax80Match-

Node

netgeardc112a_firmwareMatch1.0.0.62

AND

netgeardc112aMatch-

VendorProductVersionCPE
netgearex6100_firmware201.0.2.28cpe:2.3:o:netgear:ex6100_firmware:201.0.2.28:*:*:*:*:*:*:*
netgearex6100-cpe:2.3:h:netgear:ex6100:-:*:*:*:*:*:*:*
netgearex6200_firmware*cpe:2.3:o:netgear:ex6200_firmware:*:*:*:*:*:*:*:*
netgearex6200-cpe:2.3:h:netgear:ex6200:-:*:*:*:*:*:*:*
netgearcax80_firmware2.1.2.6cpe:2.3:o:netgear:cax80_firmware:2.1.2.6:*:*:*:*:*:*:*
netgearcax80-cpe:2.3:h:netgear:cax80:-:*:*:*:*:*:*:*
netgeardc112a_firmware1.0.0.62cpe:2.3:o:netgear:dc112a_firmware:1.0.0.62:*:*:*:*:*:*:*
netgeardc112a-cpe:2.3:h:netgear:dc112a:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
netgear	ex6100_firmware	201.0.2.28	cpe:2.3:o:netgear:ex6100_firmware:201.0.2.28:::::::*
netgear	ex6100	-	cpe:2.3:h:netgear:ex6100:-:::::::*
netgear	ex6200_firmware	*	cpe:2.3:o:netgear:ex6200_firmware::::::::
netgear	ex6200	-	cpe:2.3:h:netgear:ex6200:-:::::::*
netgear	cax80_firmware	2.1.2.6	cpe:2.3:o:netgear:cax80_firmware:2.1.2.6:::::::*
netgear	cax80	-	cpe:2.3:h:netgear:cax80:-:::::::*
netgear	dc112a_firmware	1.0.0.62	cpe:2.3:o:netgear:dc112a_firmware:1.0.0.62:::::::*
netgear	dc112a	-	cpe:2.3:h:netgear:dc112a:-:::::::*

References

github.com/doudoudedi/Netgear_product_stack_overflow/blob/main/NETGEAR%20EX%20series%20upnpd%20stack_overflow.md

kb.netgear.com/000064615/Security-Advisory-for-Pre-Authentication-Command-Injection-on-EX6100v1-and-Pre-Authentication-Stack-Overflow-on-Multiple-Products-PSV-2021-0282-PSV-2021-0288

www.netgear.com/about/security/

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

54.5%

JSON

Related for NVD:CVE-2022-24655

cvelist1 cve1 prion1