Details of VAR-202401-1164

ID

VAR-202401-1164

CVE

CVE-2023-51972

TITLE

Tenda AX1803 command injection vulnerability

Trust: 0.6

sources: CNVD: CNVD-2024-05738

DESCRIPTION

Tenda AX1803 v1.0.0.1 was discovered to contain a command injection vulnerability via the function fromAdvSetLanIp. Tenda AX1803 is a dual-band Gigabit WIFI6 router from China's Tenda Company. The vulnerability is caused by the fromAdvSetLanIp method failing to correctly filter special characters, commands, etc. in the constructed command. An attacker could exploit this vulnerability to cause arbitrary command execution

Trust: 1.44

sources: NVD: CVE-2023-51972 // CNVD: CNVD-2024-05738

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-05738

AFFECTED PRODUCTS

vendor:	tenda	model:	ax1803	scope:	eq	version:	1.0.0.1	Trust: 1.0
vendor:	tenda	model:	ax1803	scope:	eq	version:	v1.0.0.1	Trust: 0.6

sources: CNVD: CNVD-2024-05738 // NVD: CVE-2023-51972

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-51972
value:	CRITICAL
Trust: 1.0
134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2023-51972
value:	CRITICAL
Trust: 1.0
CNVD:	CNVD-2024-05738
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2024-05738
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2023-51972
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 2.0

sources: CNVD: CNVD-2024-05738 // NVD: CVE-2023-51972 // NVD: CVE-2023-51972

PROBLEMTYPE DATA

problemtype:

CWE-77

Trust: 1.0

sources: NVD: CVE-2023-51972

PATCH

title:

Patch for Tenda AX1803 command injection vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/521196

Trust: 0.6

sources: CNVD: CNVD-2024-05738

EXTERNAL IDS

db:	NVD	id:	CVE-2023-51972	Trust: 1.6
db:	CNVD	id:	CNVD-2024-05738	Trust: 0.6

sources: CNVD: CNVD-2024-05738 // NVD: CVE-2023-51972

REFERENCES

url:

https://grove-laser-8ad.notion.site/tenda-ax1803-command-injection-in-fromadvsetlanip-7b2892fac8234cff90ca15af4947a8e7

Trust: 1.6

sources: CNVD: CNVD-2024-05738 // NVD: CVE-2023-51972

SOURCES

db:	CNVD	id:	CNVD-2024-05738
db:	NVD	id:	CVE-2023-51972

LAST UPDATE DATE

2024-09-05T05:02:46.540000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-05738	date:	2024-01-25T00:00:00
db:	NVD	id:	CVE-2023-51972	date:	2024-09-03T21:35:07.130

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-05738	date:	2024-01-25T00:00:00
db:	NVD	id:	CVE-2023-51972	date:	2024-01-10T13:15:48.593