CVE-2022-23135

EPSS 0.37%
Veröffentlicht 24.02.2022 19:15:10
Zuletzt bearbeitet 21.11.2024 06:48:04
Quelle psirt@zte.com.cn
CVE-Watchlists
Login
Unerledigt
Login

There is a directory traversal vulnerability in some home gateway products of ZTE. Due to the lack of verification of user modified destination path, an attacker with specific permissions could modify the FTP access path to access and modify the system path contents without authorization, which will cause information leak and affect device operation.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Zte ≫ Zxhn F677 Firmware Version < 9.0.0p1n29

Zte ≫ Zxhn F677 Version-

Zte ≫ Zxhn F477 Firmware Version < 9.0.0p1n29

Zte ≫ Zxhn F477 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.37%	0.578

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	1.2	5.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
nvd@nist.gov	5.5	8	4.9	AV:N/AC:L/Au:S/C:P/I:N/A:P

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1023444

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-23135

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-23135

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-23135

EUVD