ID
VAR-202404-0179
CVE
CVE-2024-3909
TITLE
Shenzhen Tenda Technology Co.,Ltd. of ac500 Out-of-bounds write vulnerability in firmware
Trust: 0.8
DESCRIPTION
A vulnerability classified as critical was found in Tenda AC500 2.0.1.9(1307). Affected by this vulnerability is the function formexeCommand of the file /goform/execCommand. The manipulation of the argument cmdinput leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-261145 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Shenzhen Tenda Technology Co.,Ltd. of ac500 An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Tenda AC500 is a Gigabit port access controller from China's Tenda Company. Tenda AC500 version 2.0.1.9(1307) has a security vulnerability, which is caused by a buffer overflow in the cmdinput parameter of the formexeCommand method of the /goform/execCommand file. No detailed vulnerability details are currently available
Trust: 2.16
IOT TAXONOMY
| category: | ['Network device'] | sub_category: | - | Trust: 0.6 |
AFFECTED PRODUCTS
| vendor: | tenda | model: | ac500 | scope: | eq | version: | 2.0.1.9\(1307\) | Trust: 1.0 |
| vendor: | tenda | model: | ac500 | scope: | - | version: | - | Trust: 0.8 |
| vendor: | tenda | model: | ac500 | scope: | eq | version: | ac500 firmware 2.0.1.9(1307) | Trust: 0.8 |
| vendor: | tenda | model: | ac500 | scope: | eq | version: | - | Trust: 0.8 |
| vendor: | tenda | model: | ac500 | scope: | eq | version: | 2.0.1.9(1307) | Trust: 0.6 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-787 | Trust: 1.0 |
| problemtype: | CWE-121 | Trust: 1.0 |
| problemtype: | Stack-based buffer overflow (CWE-121) [ others ] | Trust: 0.8 |
| problemtype: | Out-of-bounds writing (CWE-787) [NVD evaluation ] | Trust: 0.8 |
PATCH
| title: | Patch for Tenda AC500 has an unspecified vulnerability (CNVD-2024-23312) | url: | https://www.cnvd.org.cn/patchInfo/show/546441 | Trust: 0.6 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2024-3909 | Trust: 3.2 |
| db: | VULDB | id: | 261145 | Trust: 2.4 |
| db: | JVNDB | id: | JVNDB-2024-018602 | Trust: 0.8 |
| db: | CNVD | id: | CNVD-2024-23312 | Trust: 0.6 |
REFERENCES
| url: | https://vuldb.com/?id.261145 | Trust: 2.4 |
| url: | https://vuldb.com/?submit.313804 | Trust: 2.4 |
| url: | https://vuldb.com/?ctiid.261145 | Trust: 1.6 |
| url: | https://github.com/abcdefg-png/iot-vulnerable/blob/main/tenda/ac500/formexecommand.md | Trust: 1.6 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2024-3909 | Trust: 0.8 |
| url: | https://cxsecurity.com/cveshow/cve-2024-3909/ | Trust: 0.6 |
SOURCES
| db: | CNVD | id: | CNVD-2024-23312 |
| db: | JVNDB | id: | JVNDB-2024-018602 |
| db: | NVD | id: | CVE-2024-3909 |
LAST UPDATE DATE
2025-02-14T23:03:49.188000+00:00
SOURCES UPDATE DATE
| db: | CNVD | id: | CNVD-2024-23312 | date: | 2024-05-20T00:00:00 |
| db: | JVNDB | id: | JVNDB-2024-018602 | date: | 2025-02-12T00:49:00 |
| db: | NVD | id: | CVE-2024-3909 | date: | 2025-02-07T01:57:01.643 |
SOURCES RELEASE DATE
| db: | CNVD | id: | CNVD-2024-23312 | date: | 2024-05-15T00:00:00 |
| db: | JVNDB | id: | JVNDB-2024-018602 | date: | 2025-02-12T00:00:00 |
| db: | NVD | id: | CVE-2024-3909 | date: | 2024-04-17T12:15:07.853 |