Details of VAR-202204-1549

ID

VAR-202204-1549

CVE

CVE-2022-23972

TITLE

ASUS RT-AX56U SQL Injection Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2022-31518 // CNNVD: CNNVD-202204-2612

DESCRIPTION

ASUS RT-AX56U’s SQL handling function has an SQL injection vulnerability due to insufficient user input validation. An unauthenticated LAN attacker to inject arbitrary SQL code to read, modify and delete database. ASUSTeK Computer Inc. of RT-AX56U The firmware has SQL There is an injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. ASUS RT-AX56U is a wireless router from ASUS (ASUS) in Taiwan

Trust: 2.16

sources: NVD: CVE-2022-23972 // JVNDB: JVNDB-2022-007936 // CNVD: CNVD-2022-31518

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-31518

AFFECTED PRODUCTS

vendor:	asus	model:	rt-ax56u	scope:	eq	version:	3.0.0.4.386.45898	Trust: 1.6
vendor:	asustek computer	model:	rt-ax56u	scope:	-	version:	-	Trust: 0.8
vendor:	asustek computer	model:	rt-ax56u	scope:	eq	version:	-	Trust: 0.8
vendor:	asustek computer	model:	rt-ax56u	scope:	eq	version:	rt-ax56u firmware 3.0.0.4.386.45898	Trust: 0.8

sources: CNVD: CNVD-2022-31518 // JVNDB: JVNDB-2022-007936 // NVD: CVE-2022-23972

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-23972
value:	HIGH
Trust: 1.0
twcert@cert.org.tw:	CVE-2022-23972
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-23972
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2022-31518
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202204-2612
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2022-23972
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2022-31518
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-23972
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2022-23972
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-31518 // JVNDB: JVNDB-2022-007936 // CNNVD: CNNVD-202204-2612 // NVD: CVE-2022-23972 // NVD: CVE-2022-23972

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.0
problemtype:	SQL injection (CWE-89) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-007936 // NVD: CVE-2022-23972

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202204-2612

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202204-2612

PATCH

title:	Patch for ASUS RT-AX56U SQL Injection Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/330226	Trust: 0.6
title:	ASUS RT-AX56U SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=189436	Trust: 0.6

sources: CNVD: CNVD-2022-31518 // CNNVD: CNNVD-202204-2612

EXTERNAL IDS

db:	NVD	id:	CVE-2022-23972	Trust: 3.8
db:	JVNDB	id:	JVNDB-2022-007936	Trust: 0.8
db:	CNVD	id:	CNVD-2022-31518	Trust: 0.6
db:	CNNVD	id:	CNNVD-202204-2612	Trust: 0.6

sources: CNVD: CNVD-2022-31518 // JVNDB: JVNDB-2022-007936 // CNNVD: CNNVD-202204-2612 // NVD: CVE-2022-23972

REFERENCES

url:	https://www.twcert.org.tw/tw/cp-132-5786-d2e86-1.html	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2022-23972	Trust: 1.4
url:	https://cxsecurity.com/cveshow/cve-2022-23972/	Trust: 0.6

sources: CNVD: CNVD-2022-31518 // JVNDB: JVNDB-2022-007936 // CNNVD: CNNVD-202204-2612 // NVD: CVE-2022-23972

SOURCES

db:	CNVD	id:	CNVD-2022-31518
db:	JVNDB	id:	JVNDB-2022-007936
db:	CNNVD	id:	CNNVD-202204-2612
db:	NVD	id:	CVE-2022-23972

LAST UPDATE DATE

2024-11-23T21:50:33.050000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-31518	date:	2022-04-22T00:00:00
db:	JVNDB	id:	JVNDB-2022-007936	date:	2023-07-21T08:18:00
db:	CNNVD	id:	CNNVD-202204-2612	date:	2022-04-15T00:00:00
db:	NVD	id:	CVE-2022-23972	date:	2024-11-21T06:49:32.910

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-31518	date:	2022-04-22T00:00:00
db:	JVNDB	id:	JVNDB-2022-007936	date:	2023-07-21T00:00:00
db:	CNNVD	id:	CNNVD-202204-2612	date:	2022-04-07T00:00:00
db:	NVD	id:	CVE-2022-23972	date:	2022-04-07T19:15:08.593