All the vulnerabilites related to Seiko Solutions Inc. - SkySpider MB-R210 firmware
jvndb-2023-000029
Vulnerability from jvndb
Published
2023-03-31 15:54
Modified
2024-05-27 17:08
Severity ?
Summary
Multiple vulnerabilities in Seiko Solutions SkyBridge MB-A100/A110/A200/A130 SkySpider MB-R210
Details
SkyBridge MB-A100/A110/A200/A130 SkySpider MB-R210 provided by Seiko Solutions Inc. contain multiple vulnerabilities listed below.
<ul>
<li>Exposure of sensitive information to an unauthorized actor (CWE-200) - CVE-2016-2183
<li>Command injection (CWE-77) - CVE-2022-36556
<li>Unrestricted upload of file with dangerous type (CWE-434) - CVE-2022-36557
<li>Use of hard-coded credentials (CWE-798) - CVE-2022-36558
<li>Command injection (CWE-77) - CVE-2022-36559
<li>Use of hard-coded credentials (CWE-798) - CVE-2022-36560
<li>Improper privilege management (CWE-269) - CVE-2023-22361
<li>Missing authentication for critical function (CWE-306) - CVE-2023-22441
<li>Improper access control (CWE-284) - CVE-2023-23578
<li>Improper following of a certificate's chain of trust (CWE-296) - CVE-2023-23901
<li>Missing authentication for critical function (CWE-306) - CVE-2023-23906
<li>Cleartext storage of sensitive information (CWE-312) - CVE-2023-24586
<li>Cleartext transmission of sensitive information (CWE-319) - CVE-2023-25070
<li>Use of weak credentials (CWE-1391) - CVE-2023-25072
<li>Use of weak credentials (CWE-1391) - CVE-2023-25184
</ul>
The developer states that attacks exploiting CVE-2022-36556 have been observed.
CVE-2023-22441
MASAHIRO IIDA of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2016-2183, CVE-2022-36556, CVE-2022-36557, CVE-2022-36558, CVE-2022-36559, CVE-2022-36560, CVE-2023-22361, CVE-2023-23578, CVE-2023-23901, CVE-2023-23906, CVE-2023-24586, CVE-2023-25070, CVE-2023-25072, CVE-2023-25184
Thomas J. Knudsen and Samy Younsi of NeroTeam Security Labs reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
References
Impacted products
{ "@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000029.html", "dc:date": "2024-05-27T17:08+09:00", "dcterms:issued": "2023-03-31T15:54+09:00", "dcterms:modified": "2024-05-27T17:08+09:00", "description": "SkyBridge MB-A100/A110/A200/A130 SkySpider MB-R210 provided by Seiko Solutions Inc. contain multiple vulnerabilities listed below.\r\n\u003cul\u003e\r\n\u003cli\u003eExposure of sensitive information to an unauthorized actor (CWE-200) - CVE-2016-2183\r\n\u003cli\u003eCommand injection (CWE-77) - CVE-2022-36556\r\n\u003cli\u003eUnrestricted upload of file with dangerous type (CWE-434) - CVE-2022-36557\r\n\u003cli\u003eUse of hard-coded credentials (CWE-798) - CVE-2022-36558\r\n\u003cli\u003eCommand injection (CWE-77) - CVE-2022-36559\r\n\u003cli\u003eUse of hard-coded credentials (CWE-798) - CVE-2022-36560\r\n\u003cli\u003eImproper privilege management (CWE-269) - CVE-2023-22361\r\n\u003cli\u003eMissing authentication for critical function (CWE-306) - CVE-2023-22441\r\n\u003cli\u003eImproper access control (CWE-284) - CVE-2023-23578\r\n\u003cli\u003eImproper following of a certificate\u0027s chain of trust (CWE-296) - CVE-2023-23901\r\n\u003cli\u003eMissing authentication for critical function (CWE-306) - CVE-2023-23906\r\n\u003cli\u003eCleartext storage of sensitive information (CWE-312) - CVE-2023-24586\r\n\u003cli\u003eCleartext transmission of sensitive information (CWE-319) - CVE-2023-25070\r\n\u003cli\u003eUse of weak credentials (CWE-1391) - CVE-2023-25072\r\n\u003cli\u003eUse of weak credentials (CWE-1391) - CVE-2023-25184\r\n\u003c/ul\u003e\r\nThe developer states that attacks exploiting CVE-2022-36556 have been observed.\r\n\r\n\r\nCVE-2023-22441\r\nMASAHIRO IIDA of LAC Co., Ltd. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2016-2183, CVE-2022-36556, CVE-2022-36557, CVE-2022-36558, CVE-2022-36559, CVE-2022-36560, CVE-2023-22361, CVE-2023-23578, CVE-2023-23901, CVE-2023-23906, CVE-2023-24586, CVE-2023-25070, CVE-2023-25072, CVE-2023-25184\r\nThomas J. Knudsen and Samy Younsi of NeroTeam Security Labs reported these vulnerabilities to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.", "link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000029.html", "sec:cpe": [ { "#text": "cpe:/o:seiko-sol:skybridge_basic_mb-a130_firmware", "@product": "SkyBridge BASIC MB-A130 firmware", "@vendor": "Seiko Solutions Inc.", "@version": "2.2" }, { "#text": "cpe:/o:seiko-sol:skybridge_mb-a100_firmware", "@product": "SkyBridge MB-A100 firmware", "@vendor": "Seiko Solutions Inc.", "@version": "2.2" }, { "#text": "cpe:/o:seiko-sol:skybridge_mb-a110_firmware", "@product": "SkyBridge MB-A110 firmware", "@vendor": "Seiko Solutions Inc.", "@version": "2.2" }, { "#text": "cpe:/o:seiko-sol:skybridge_mb-a200_firmware", "@product": "SkyBridge MB-A200 firmware", "@vendor": "Seiko Solutions Inc.", "@version": "2.2" }, { "#text": "cpe:/o:seiko-sol:skyspider_mb-r210_firmware", "@product": "SkySpider MB-R210 firmware", "@vendor": "Seiko Solutions Inc.", "@version": "2.2" } ], "sec:cvss": [ { "@score": "9.0", "@severity": "High", "@type": "Base", "@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:C", "@version": "2.0" }, { "@score": "8.6", "@severity": "High", "@type": "Base", "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "@version": "3.0" } ], "sec:identifier": "JVNDB-2023-000029", "sec:references": [ { "#text": "http://jvn.jp/en/jp/JVN40604023/index.html", "@id": "JVN#40604023", "@source": "JVN" }, { "#text": "https://www.cve.org/CVERecord?id=CVE-2023-22361", "@id": "CVE-2023-22361", "@source": "CVE" }, { "#text": "https://www.cve.org/CVERecord?id=CVE-2023-22441", "@id": "CVE-2023-22441", "@source": "CVE" }, { "#text": "https://www.cve.org/CVERecord?id=CVE-2023-23578", "@id": "CVE-2023-23578", "@source": "CVE" }, { "#text": "https://www.cve.org/CVERecord?id=CVE-2023-23901", "@id": "CVE-2023-23901", "@source": "CVE" }, { "#text": "https://www.cve.org/CVERecord?id=CVE-2023-23906", "@id": "CVE-2023-23906", "@source": "CVE" }, { "#text": "https://www.cve.org/CVERecord?id=CVE-2023-24586", "@id": "CVE-2023-24586", "@source": "CVE" }, { "#text": "https://www.cve.org/CVERecord?id=CVE-2023-25070", "@id": "CVE-2023-25070", "@source": "CVE" }, { "#text": "https://www.cve.org/CVERecord?id=CVE-2023-25072", "@id": "CVE-2023-25072", "@source": "CVE" }, { "#text": "https://www.cve.org/CVERecord?id=CVE-2023-25184", "@id": "CVE-2023-25184", "@source": "CVE" }, { "#text": "https://www.cve.org/CVERecord?id=CVE-2016-2183", "@id": "CVE-2016-2183", "@source": "CVE" }, { "#text": "https://www.cve.org/CVERecord?id=CVE-2022-36556", "@id": "CVE-2022-36556", "@source": "CVE" }, { "#text": "https://www.cve.org/CVERecord?id=CVE-2022-36557", "@id": "CVE-2022-36557", "@source": "CVE" }, { "#text": "https://www.cve.org/CVERecord?id=CVE-2022-36558", "@id": "CVE-2022-36558", "@source": "CVE" }, { "#text": "https://www.cve.org/CVERecord?id=CVE-2022-36559", "@id": "CVE-2022-36559", "@source": "CVE" }, { "#text": "https://www.cve.org/CVERecord?id=CVE-2022-36560", "@id": "CVE-2022-36560", "@source": "CVE" }, { "#text": "https://nvd.nist.gov/vuln/detail/CVE-2016-2183", "@id": "CVE-2016-2183", "@source": "NVD" }, { "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-36556", "@id": "CVE-2022-36556", "@source": "NVD" }, { "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-36557", "@id": "CVE-2022-36557", "@source": "NVD" }, { "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-36558", "@id": "CVE-2022-36558", "@source": "NVD" }, { "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-36559", "@id": "CVE-2022-36559", "@source": "NVD" }, { "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-36560", "@id": "CVE-2022-36560", "@source": "NVD" }, { "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-22361", "@id": "CVE-2023-22361", "@source": "NVD" }, { "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-22441", "@id": "CVE-2023-22441", "@source": "NVD" }, { "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-23578", "@id": "CVE-2023-23578", "@source": "NVD" }, { "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-23901", "@id": "CVE-2023-23901", "@source": "NVD" }, { "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-23906", "@id": "CVE-2023-23906", "@source": "NVD" }, { "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-24586", "@id": "CVE-2023-24586", "@source": "NVD" }, { "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-25070", "@id": "CVE-2023-25070", "@source": "NVD" }, { "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-25072", "@id": "CVE-2023-25072", "@source": "NVD" }, { "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-25184", "@id": "CVE-2023-25184", "@source": "NVD" }, { "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html", "@id": "CWE-200", "@title": "Information Exposure(CWE-200)" }, { "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html", "@id": "CWE-264", "@title": "Permissions(CWE-264)" }, { "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html", "@id": "CWE-287", "@title": "Improper Authentication(CWE-287)" }, { "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html", "@id": "CWE-Other", "@title": "No Mapping(CWE-Other)" } ], "title": "Multiple vulnerabilities in Seiko Solutions SkyBridge MB-A100/A110/A200/A130 SkySpider MB-R210" }