Details of VAR-202206-2135

ID

VAR-202206-2135

CVE

CVE-2022-33948

TITLE

HOME SPOT CUBE2 In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-000049

DESCRIPTION

HOME SPOT CUBE2 V102 contains an OS command injection vulnerability due to improper processing of data received from DHCP server. An adjacent attacker may execute an arbitrary OS command on the product if a malicious DHCP server is placed on the WAN side of the product. This vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. KDDI HOME SPOT CUBE2 is a home wireless router from KDDI Corporation of Japan

Trust: 2.25

sources: NVD: CVE-2022-33948 // JVNDB: JVNDB-2022-000049 // CNVD: CNVD-2022-60671 // VULMON: CVE-2022-33948

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-60671

AFFECTED PRODUCTS

vendor:	kddi	model:	home spot cube 2	scope:	lte	version:	v102	Trust: 1.0
vendor:	kddi	model:	home spot cube2	scope:	lte	version:	v102 and earlier	Trust: 0.8
vendor:	kddi	model:	home spot cube2	scope:	eq	version:	-	Trust: 0.8
vendor:	kddi	model:	home spot cube2	scope:	eq	version:	v102	Trust: 0.6

sources: CNVD: CNVD-2022-60671 // JVNDB: JVNDB-2022-000049 // NVD: CVE-2022-33948

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-33948
value:	HIGH
Trust: 1.0
IPA:	JVNDB-2022-000049
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2022-60671
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202206-2821
value:	HIGH
Trust: 0.6
VULMON:	CVE-2022-33948
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2022-33948
severity:	HIGH
baseScore:	8.3
vectorString:	AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.5
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
IPA:	JVNDB-2022-000049
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2022-60671
severity:	HIGH
baseScore:	8.3
vectorString:	AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.5
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-33948
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
IPA:	JVNDB-2022-000049
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-60671 // VULMON: CVE-2022-33948 // JVNDB: JVNDB-2022-000049 // CNNVD: CNNVD-202206-2821 // NVD: CVE-2022-33948

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	OS Command injection (CWE-78) [IPA evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-000049 // NVD: CVE-2022-33948

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202206-2821

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202206-2821

PATCH

title:

HOME SPOT CUBE2

url:

https://www.au.com/support/service/mobile/guide/wlan/home_spot_cube_2/

Trust: 0.8

sources: JVNDB: JVNDB-2022-000049

EXTERNAL IDS

db:	NVD	id:	CVE-2022-33948	Trust: 3.9
db:	JVN	id:	JVN41017328	Trust: 2.5
db:	JVNDB	id:	JVNDB-2022-000049	Trust: 1.4
db:	CNVD	id:	CNVD-2022-60671	Trust: 0.6
db:	CS-HELP	id:	SB2022062910	Trust: 0.6
db:	CNNVD	id:	CNNVD-202206-2821	Trust: 0.6
db:	VULMON	id:	CVE-2022-33948	Trust: 0.1

sources: CNVD: CNVD-2022-60671 // VULMON: CVE-2022-33948 // JVNDB: JVNDB-2022-000049 // CNNVD: CNNVD-202206-2821 // NVD: CVE-2022-33948

REFERENCES

url:	https://www.au.com/support/service/mobile/guide/wlan/home_spot_cube_2/	Trust: 2.3
url:	https://jvn.jp/en/jp/jvn41017328/index.html	Trust: 1.7
url:	https://jvn.jp/jp/jvn41017328/index.html	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-33948	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-33948/	Trust: 0.6
url:	https://jvndb.jvn.jp/en/contents/2022/jvndb-2022-000049.html	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022062910	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/78.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2022-60671 // VULMON: CVE-2022-33948 // JVNDB: JVNDB-2022-000049 // CNNVD: CNNVD-202206-2821 // NVD: CVE-2022-33948

SOURCES

db:	CNVD	id:	CNVD-2022-60671
db:	VULMON	id:	CVE-2022-33948
db:	JVNDB	id:	JVNDB-2022-000049
db:	CNNVD	id:	CNNVD-202206-2821
db:	NVD	id:	CVE-2022-33948

LAST UPDATE DATE

2024-08-14T14:49:43.368000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-60671	date:	2022-08-31T00:00:00
db:	VULMON	id:	CVE-2022-33948	date:	2022-07-15T00:00:00
db:	JVNDB	id:	JVNDB-2022-000049	date:	2024-06-17T01:44:00
db:	CNNVD	id:	CNNVD-202206-2821	date:	2022-07-18T00:00:00
db:	NVD	id:	CVE-2022-33948	date:	2022-07-15T13:10:05.463

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-60671	date:	2022-08-31T00:00:00
db:	VULMON	id:	CVE-2022-33948	date:	2022-07-04T00:00:00
db:	JVNDB	id:	JVNDB-2022-000049	date:	2022-06-29T00:00:00
db:	CNNVD	id:	CNNVD-202206-2821	date:	2022-06-29T00:00:00
db:	NVD	id:	CVE-2022-33948	date:	2022-07-04T02:15:07.620