Details of VAR-202312-0445

ID

VAR-202312-0445

CVE

CVE-2023-49429

TITLE

Shenzhen Tenda Technology Co.,Ltd. of ax9 in the firmware SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2023-018806

DESCRIPTION

Tenda AX9 V22.03.01.46 was discovered to contain a SQL command injection vulnerability in the 'setDeviceInfo' feature through the 'mac' parameter at /goform/setModules. Shenzhen Tenda Technology Co.,Ltd. of ax9 The firmware has SQL There is an injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. There is a command execution vulnerability in Tenda AX9 V22.03.01.46. in the constructed command. An attacker could exploit this vulnerability to cause arbitrary command execution

Trust: 2.16

sources: NVD: CVE-2023-49429 // JVNDB: JVNDB-2023-018806 // CNVD: CNVD-2023-98046

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2023-98046

AFFECTED PRODUCTS

vendor:	tenda	model:	ax9	scope:	eq	version:	22.03.01.46	Trust: 1.0
vendor:	tenda	model:	ax9	scope:	eq	version:	-	Trust: 0.8
vendor:	tenda	model:	ax9	scope:	eq	version:	ax9 firmware 22.03.01.46	Trust: 0.8
vendor:	tenda	model:	ax9	scope:	-	version:	-	Trust: 0.8
vendor:	tenda	model:	ax9	scope:	eq	version:	v22.03.01.46	Trust: 0.6

sources: CNVD: CNVD-2023-98046 // JVNDB: JVNDB-2023-018806 // NVD: CVE-2023-49429

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-49429
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2023-49429
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2023-98046
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2023-98046
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2023-49429
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2023-49429
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2023-98046 // JVNDB: JVNDB-2023-018806 // NVD: CVE-2023-49429

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.0
problemtype:	SQL injection (CWE-89) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-018806 // NVD: CVE-2023-49429

EXTERNAL IDS

db:	NVD	id:	CVE-2023-49429	Trust: 3.2
db:	JVNDB	id:	JVNDB-2023-018806	Trust: 0.8
db:	CNVD	id:	CNVD-2023-98046	Trust: 0.6

sources: CNVD: CNVD-2023-98046 // JVNDB: JVNDB-2023-018806 // NVD: CVE-2023-49429

REFERENCES

url:	https://github.com/ef4tless/vuln/blob/master/iot/ax9/setdeviceinfo.md	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2023-49429	Trust: 1.4

sources: CNVD: CNVD-2023-98046 // JVNDB: JVNDB-2023-018806 // NVD: CVE-2023-49429

SOURCES

db:	CNVD	id:	CNVD-2023-98046
db:	JVNDB	id:	JVNDB-2023-018806
db:	NVD	id:	CVE-2023-49429

LAST UPDATE DATE

2024-08-14T15:41:28.177000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2023-98046	date:	2023-12-15T00:00:00
db:	JVNDB	id:	JVNDB-2023-018806	date:	2024-01-12T01:20:00
db:	NVD	id:	CVE-2023-49429	date:	2023-12-09T04:44:26.117

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2023-98046	date:	2023-12-15T00:00:00
db:	JVNDB	id:	JVNDB-2023-018806	date:	2024-01-12T00:00:00
db:	NVD	id:	CVE-2023-49429	date:	2023-12-07T16:15:07.203