Details of VAR-202408-0169

ID

VAR-202408-0169

CVE

CVE-2024-7584

TITLE

Shenzhen Tenda Technology Co.,Ltd. of i22 Classic buffer overflow vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2024-007835

DESCRIPTION

A vulnerability, which was classified as critical, was found in Tenda i22 1.0.0.3(4687). Affected is the function formApPortalPhoneAuth of the file /goform/apPortalPhoneAuth. The manipulation of the argument data leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Shenzhen Tenda Technology Co.,Ltd. of i22 Firmware has a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Tenda i22 is a dual-band ceiling-mounted wireless access point from Tenda. A remote attacker can use this vulnerability to submit special requests, which can cause the application to crash or execute arbitrary code in the context of the application

Trust: 2.16

sources: NVD: CVE-2024-7584 // JVNDB: JVNDB-2024-007835 // CNVD: CNVD-2024-35556

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-35556

AFFECTED PRODUCTS

vendor:	tenda	model:	i22	scope:	eq	version:	1.0.0.3\(4687\)	Trust: 1.0
vendor:	tenda	model:	i22	scope:	-	version:	-	Trust: 0.8
vendor:	tenda	model:	i22	scope:	eq	version:	-	Trust: 0.8
vendor:	tenda	model:	i22	scope:	eq	version:	i22 firmware 1.0.0.3(4687)	Trust: 0.8
vendor:	tenda	model:	i22	scope:	eq	version:	1.0.0.3(4687)	Trust: 0.6

sources: CNVD: CNVD-2024-35556 // JVNDB: JVNDB-2024-007835 // NVD: CVE-2024-7584

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com:	CVE-2024-7584
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2024-7584
value:	CRITICAL
Trust: 1.0
OTHER:	JVNDB-2024-007835
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2024-35556
value:	HIGH
Trust: 0.6

cna@vuldb.com:	CVE-2024-7584
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
OTHER:	JVNDB-2024-007835
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2024-35556
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

cna@vuldb.com:	CVE-2024-7584
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
nvd@nist.gov:	CVE-2024-7584
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	JVNDB-2024-007835
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2024-35556 // JVNDB: JVNDB-2024-007835 // NVD: CVE-2024-7584 // NVD: CVE-2024-7584

PROBLEMTYPE DATA

problemtype:	CWE-120	Trust: 1.0
problemtype:	Classic buffer overflow (CWE-120) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-007835 // NVD: CVE-2024-7584

EXTERNAL IDS

db:	NVD	id:	CVE-2024-7584	Trust: 3.2
db:	VULDB	id:	273864	Trust: 1.0
db:	JVNDB	id:	JVNDB-2024-007835	Trust: 0.8
db:	CNVD	id:	CNVD-2024-35556	Trust: 0.6

sources: CNVD: CNVD-2024-35556 // JVNDB: JVNDB-2024-007835 // NVD: CVE-2024-7584

REFERENCES

url:	https://github.com/beacox/iot_vuln/tree/main/tenda/i22/apportalphoneauth	Trust: 2.4
url:	https://vuldb.com/?submit.382836	Trust: 1.8
url:	https://vuldb.com/?ctiid.273864	Trust: 1.0
url:	https://vuldb.com/?id.273864	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2024-7584	Trust: 0.8

sources: CNVD: CNVD-2024-35556 // JVNDB: JVNDB-2024-007835 // NVD: CVE-2024-7584

SOURCES

db:	CNVD	id:	CNVD-2024-35556
db:	JVNDB	id:	JVNDB-2024-007835
db:	NVD	id:	CVE-2024-7584

LAST UPDATE DATE

2024-09-13T23:44:57.007000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-35556	date:	2024-08-15T00:00:00
db:	JVNDB	id:	JVNDB-2024-007835	date:	2024-09-12T01:39:00
db:	NVD	id:	CVE-2024-7584	date:	2024-09-11T19:25:04.143

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-35556	date:	2024-08-14T00:00:00
db:	JVNDB	id:	JVNDB-2024-007835	date:	2024-09-12T00:00:00
db:	NVD	id:	CVE-2024-7584	date:	2024-08-07T17:15:52.730