jvn.jp
Open in
urlscan Pro
54.230.167.27
Public Scan
URL:
https://jvn.jp/en/vu/JVNVU92862829/index.html
Submission: On June 29 via api from NL — Scanned from JP
Submission: On June 29 via api from NL — Scanned from JP
Form analysis 0 forms found in the DOM
Text Content
Published:2021/05/31 Last Updated:2021/05/31 JVNVU#92862829 MULTIPLE VULNERABILITIES IN BUFFALO WSR-1166DHP3 AND WSR-1166DHP4 ROUTERS OVERVIEW Buffalo WSR-1166DHP3 and WSR-1166DHP4 routers provided by Buffalo Inc. contain multiple vulnerabilities. PRODUCTS AFFECTED * WSR-1166DHP3 firmware Ver.1.16 and prior * WSR-1166DHP4 firmware Ver.1.02 and prior DESCRIPTION Buffalo WSR-1166DHP3 and WSR-1166DHP4 routers provided by Buffalo Inc. contain multiple vulnerabilities listed below. * Improper access control (CWE-284) - CVE-2021-20730 CVSS v3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3 * OS command injection (CWE-78) - CVE-2021-20731 CVSS v3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L Base Score: 5.4 IMPACT * An unauthenticated network-adjacent attacker can obtain configuration information. - CVE-2021-20730 * An unauthenticated network-adjacent attacker can execute multiple OS commands with root privileges. - CVE-2021-20731 SOLUTION Update firmware Apply the appropriate firimware update according to the information provided by the developer. The developer has released fixed versions listed below. * WSR-1166DHP3 firmware Ver.1.17 * WSR-1166DHP4 firmware Ver.1.03 VENDOR STATUS Vendor Status Last Update Vendor Notes BUFFALO INC. Vulnerable 2021/05/31 BUFFALO INC. website REFERENCES JPCERT/CC ADDENDUM VULNERABILITY ANALYSIS BY JPCERT/CC CREDIT Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. OTHER INFORMATION JPCERT Alert JPCERT Reports CERT Advisory CPNI Advisory TRnotes CVE CVE-2021-20730 CVE-2021-20731 JVN iPedia * JVN * HOME * What is JVN ? * Instructions * List of Vulnerability Report * VN_JP * VN_JP(Unreachable) * VN_VU * TA * TRnotes * JVN iPedia * MyJVN * JVNJS/RSS * Vendor List * List of unreachable developers * Contact Copyright (c) 2000-2021 JPCERT/CC and IPA. All rights reserved.