CVE-2022-43466

2022-12-1900:00:00

jpcert

www.cve.org

cve-2022-43466

command injection

network-adjacent attacker

administrative privilege

arbitrary os command

cgi program

AI Score

7.2

Confidence

High

EPSS

Percentile

13.4%

JSON

OS command injection vulnerability in Buffalo network devices allows a network-adjacent attacker with an administrative privilege to execute an arbitrary OS command if a specially crafted request is sent to a specific CGI program.

CNA Affected

[
  {
    "vendor": "BUFFALO INC.",
    "product": "WXR-5700AX7S",
    "versions": [
      {
        "version": "firmware Ver. 1.27 and earlier",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "BUFFALO INC.",
    "product": "WXR-5700AX7B",
    "versions": [
      {
        "version": "firmware Ver. 1.27 and earlier",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "BUFFALO INC.",
    "product": "WSR-3200AX4S",
    "versions": [
      {
        "version": "firmware Ver. 1.26 and earlier",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "BUFFALO INC.",
    "product": "WSR-3200AX4B",
    "versions": [
      {
        "version": "firmware Ver. 1.25",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "BUFFALO INC.",
    "product": "WSR-2533DHP2",
    "versions": [
      {
        "version": "firmware Ver. 1.22 and earlier",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "BUFFALO INC.",
    "product": "WSR-A2533DHP2",
    "versions": [
      {
        "version": "firmware Ver. 1.22 and earlier",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "BUFFALO INC.",
    "product": "WSR-2533DHP3",
    "versions": [
      {
        "version": "firmware Ver. 1.26 and earlier",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "BUFFALO INC.",
    "product": "WSR-A2533DHP3",
    "versions": [
      {
        "version": "firmware Ver. 1.26 and earlier",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "BUFFALO INC.",
    "product": "WSR-2533DHPL2",
    "versions": [
      {
        "version": "firmware Ver. 1.03 and earlier",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "BUFFALO INC.",
    "product": "WSR-2533DHPLS",
    "versions": [
      {
        "version": "firmware Ver. 1.07 and earlier",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "BUFFALO INC.",
    "product": "WSR-2533DHPLB",
    "versions": [
      {
        "version": "firmware Ver. 1.05",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "BUFFALO INC.",
    "product": "WEX-1800AX4",
    "versions": [
      {
        "version": "firmware Ver. 1.13 and earlier",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "BUFFALO INC.",
    "product": "WEX-1800AX4EA",
    "versions": [
      {
        "version": "firmware Ver. 1.13 and earlier",
        "status": "affected"
      }
    ]
  }
]

References

jvn.jp/en/vu/JVNVU97099584/

www.buffalo.jp/news/detail/20240131-01.html