Details of VAR-202406-1003

ID

VAR-202406-1003

CVE

CVE-2024-4638

TITLE

plural Moxa Inc. Command injection vulnerabilities in the product

Trust: 0.8

sources: JVNDB: JVNDB-2024-008843

DESCRIPTION

OnCell G3470A-LTE Series firmware versions v1.7.7 and prior have been identified as vulnerable due to a lack of neutralized inputs in the web key upload function. An attacker could modify the intended commands sent to target functions, which could cause malicious users to execute unauthorized commands. ONCELLG3470A-LTE-EU-T firmware, ONCELLG3470A-LTE-EU firmware, OnCellG3470A-LTE-US firmware etc. Moxa Inc. The product contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. MOXA OnCell G3470A-LTE is a series of cellular gateways/routers from China's MOXA company. MOXA OnCell G3470A-LTE v1.7.7 and earlier firmware versions have a command injection vulnerability

Trust: 2.16

sources: NVD: CVE-2024-4638 // JVNDB: JVNDB-2024-008843 // CNVD: CNVD-2024-41848

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-41848

AFFECTED PRODUCTS

vendor:	moxa	model:	oncell g3470a-lte-eu-t	scope:	lte	version:	1.7.7	Trust: 1.0
vendor:	moxa	model:	oncell g3470a-lte-us	scope:	lte	version:	1.7.7	Trust: 1.0
vendor:	moxa	model:	oncell g3470a-lte-us-t	scope:	lte	version:	1.7.7	Trust: 1.0
vendor:	moxa	model:	oncell g3470a-lte-eu	scope:	lte	version:	1.7.7	Trust: 1.0
vendor:	moxa	model:	oncellg3470a-lte-us	scope:	-	version:	-	Trust: 0.8
vendor:	moxa	model:	oncellg3470a-lte-eu	scope:	-	version:	-	Trust: 0.8
vendor:	moxa	model:	oncellg3470a-lte-eu-t	scope:	-	version:	-	Trust: 0.8
vendor:	moxa	model:	oncellg3470a-lte-us-t	scope:	-	version:	-	Trust: 0.8
vendor:	moxa	model:	oncell g3470a-lte	scope:	lte	version:	<=v1.7.7	Trust: 0.6

sources: CNVD: CNVD-2024-41848 // JVNDB: JVNDB-2024-008843 // NVD: CVE-2024-4638

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2024-4638
value:	HIGH
Trust: 1.0
psirt@moxa.com:	CVE-2024-4638
value:	HIGH
Trust: 1.0
NVD:	CVE-2024-4638
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2024-41848
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2024-41848
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:S/C:C/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	7.8
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2024-4638
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
psirt@moxa.com:	CVE-2024-4638
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	4.2
version:	3.1
Trust: 1.0
NVD:	CVE-2024-4638
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2024-41848 // JVNDB: JVNDB-2024-008843 // NVD: CVE-2024-4638 // NVD: CVE-2024-4638

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.0
problemtype:	Command injection (CWE-77) [ others ]	Trust: 0.8
problemtype:	Command injection (CWE-77) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-008843 // NVD: CVE-2024-4638

PATCH

title:

Patch for MOXA OnCell G3470A-LTE Command Injection Vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/601616

Trust: 0.6

sources: CNVD: CNVD-2024-41848

EXTERNAL IDS

db:	NVD	id:	CVE-2024-4638	Trust: 3.2
db:	JVNDB	id:	JVNDB-2024-008843	Trust: 0.8
db:	CNVD	id:	CNVD-2024-41848	Trust: 0.6

sources: CNVD: CNVD-2024-41848 // JVNDB: JVNDB-2024-008843 // NVD: CVE-2024-4638

REFERENCES

url:	https://www.moxa.com/en/support/product-support/security-advisory/mpsa-242550-oncell-g3470a-lte-series-multiple-web-application-vulnerabilities	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2024-4638	Trust: 0.8

sources: CNVD: CNVD-2024-41848 // JVNDB: JVNDB-2024-008843 // NVD: CVE-2024-4638

SOURCES

db:	CNVD	id:	CNVD-2024-41848
db:	JVNDB	id:	JVNDB-2024-008843
db:	NVD	id:	CVE-2024-4638

LAST UPDATE DATE

2024-10-29T23:43:35.622000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-41848	date:	2024-10-28T00:00:00
db:	JVNDB	id:	JVNDB-2024-008843	date:	2024-09-25T01:50:00
db:	NVD	id:	CVE-2024-4638	date:	2024-09-24T17:13:43.997

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-41848	date:	2024-10-28T00:00:00
db:	JVNDB	id:	JVNDB-2024-008843	date:	2024-09-25T00:00:00
db:	NVD	id:	CVE-2024-4638	date:	2024-06-25T09:15:57.413