CVE-2021-42912

Published: Dec 16, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

FiberHome ONU GPON AN5506-04-F RP2617 is affected by an OS command injection vulnerability. This vulnerability allows the attacker, once logged in, to send commands to the operating system as the root user via the ping diagnostic tool, bypassing the IP address field, and concatenating OS commands with a semicolon.

Affected (8)

Products: Fiberhome: An5506 01 A Firmware, An5506 01 B Firmware, An5506 02 B Firmware, An5506 04 B Firmware, An5506 04 F Firmware, Aan5506 04 G2g Firmware

6 products

Aan5506 04 G2g Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Fiberhome An5506 01 A Firmware	Version rp0509

Running on/with	Platform Versions
Fiberhome An5506 01 A	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Fiberhome An5506 01 B Firmware	Version rp2610

Running on/with	Platform Versions
Fiberhome An5506 01 B	All versions

Configuration C

3 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Fiberhome An5506 02 B Firmware	Version rp2520
Fiberhome An5506 02 B Firmware	Version rp2521
Fiberhome An5506 02 B Firmware	Version rp2603

Running on/with	Platform Versions
Fiberhome An5506 02 B	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Fiberhome An5506 04 B Firmware	Version rp2510

Running on/with	Platform Versions
Fiberhome An5506 04 B	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Fiberhome An5506 04 F Firmware	Version rp2617

Running on/with	Platform Versions
Fiberhome An5506 04 F	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Fiberhome Aan5506 04 G2g Firmware	Version rp2560

Running on/with	Platform Versions
Fiberhome An5506 04 G2g	All versions

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (6)

http://fiberhome.com

Source: cve@mitre.org

Broken Link

http://onu.com

Source: cve@mitre.org

Not Applicable

https://medium.com/%40windsormoreira/fiberhome-an5506-os-command-injection-cve-2021-42912-10b64fd10ce2

Source: cve@mitre.org

http://fiberhome.com

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

http://onu.com

Source: af854a3a-2127-422b-91ae-364da2661108

Not Applicable

https://medium.com/%40windsormoreira/fiberhome-an5506-os-command-injection-cve-2021-42912-10b64fd10ce2

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.