cnvd - cnvd-2024-36355

cnvd-2024-36355

Vulnerability from cnvd

Title: D-Link DI-8100命令注入漏洞

Description:

D-Link DI-8100是中国友讯（D-Link）公司的一款专为中小型网络环境设计的无线宽带路由器。

D-Link DI-8100 16.07版本存在命令注入漏洞，该漏洞源于文件upgrade_filter. asp的upgrade_filter_asp对参数路径的操纵会导致命令注入，从而可以远程发起攻击。目前没有详细的漏洞细节提供。

Severity: 中

Formal description:

厂商尚未发布漏洞修复程序，请及时关注更新: https://github.com/aLtEr6/pdf/blob/main/3.pdf

Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-7833

Impacted products

Name
D-Link D-Link DI-8100 16.07

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-7833",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-7833"
    }
  },
  "description": "D-Link DI-8100\u662f\u4e2d\u56fd\u53cb\u8baf\uff08D-Link\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u4e13\u4e3a\u4e2d\u5c0f\u578b\u7f51\u7edc\u73af\u5883\u8bbe\u8ba1\u7684\u65e0\u7ebf\u5bbd\u5e26\u8def\u7531\u5668\u3002\n\nD-Link DI-8100 16.07\u7248\u672c\u5b58\u5728\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u6587\u4ef6upgrade_filter. asp\u7684upgrade_filter_asp\u5bf9\u53c2\u6570\u8def\u5f84\u7684\u64cd\u7eb5\u4f1a\u5bfc\u81f4\u547d\u4ee4\u6ce8\u5165\uff0c\u4ece\u800c\u53ef\u4ee5\u8fdc\u7a0b\u53d1\u8d77\u653b\u51fb\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0:\r\nhttps://github.com/aLtEr6/pdf/blob/main/3.pdf",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-36355",
  "openTime": "2024-08-22",
  "products": {
    "product": "D-Link D-Link DI-8100 16.07"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2024-7833",
  "serverity": "\u4e2d",
  "submitTime": "2024-08-16",
  "title": "D-Link DI-8100\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2024-7833 (GCVE-0-2024-7833)

Vulnerability from cvelistv5

Published

2024-08-15 14:00

Modified

2024-09-03 18:03

Severity ?

5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-77 - Command Injection

Summary

A vulnerability was found in D-Link DI-8100 16.07. It has been classified as critical. This affects the function upgrade_filter_asp of the file upgrade_filter.asp. The manipulation of the argument path leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

References

▼	URL	Tags
	https://vuldb.com/?id.274731	vdb-entry, technical-description
	https://vuldb.com/?ctiid.274731	signature, permissions-required
	https://vuldb.com/?submit.385338	third-party-advisory
	https://github.com/aLtEr6/pdf/blob/main/3.pdf	exploit

Impacted products

	Vendor	Product	Version
	D-Link	DI-8100	Version: 16.07

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-7833",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-16T15:31:07.142691Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-03T18:03:42.204Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "DI-8100",
          "vendor": "D-Link",
          "versions": [
            {
              "status": "affected",
              "version": "16.07"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "aLtEr (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in D-Link DI-8100 16.07. It has been classified as critical. This affects the function upgrade_filter_asp of the file upgrade_filter.asp. The manipulation of the argument path leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."
        },
        {
          "lang": "de",
          "value": "Es wurde eine Schwachstelle in D-Link DI-8100 16.07 ausgemacht. Sie wurde als kritisch eingestuft. Hiervon betroffen ist die Funktion upgrade_filter_asp der Datei upgrade_filter.asp. Mittels Manipulieren des Arguments path mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77 Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-15T14:00:04.876Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-274731 | D-Link DI-8100 upgrade_filter.asp upgrade_filter_asp command injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.274731"
        },
        {
          "name": "VDB-274731 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.274731"
        },
        {
          "name": "Submit #385338 | D-Link NetworkManager D-LINK DI-8100 16.07 Command Injection",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.385338"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/aLtEr6/pdf/blob/main/3.pdf"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-08-15T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2024-08-15T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2024-08-15T07:51:58.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "D-Link DI-8100 upgrade_filter.asp upgrade_filter_asp command injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2024-7833",
    "datePublished": "2024-08-15T14:00:04.876Z",
    "dateReserved": "2024-08-15T05:46:45.587Z",
    "dateUpdated": "2024-09-03T18:03:42.204Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted