Published:2021/12/23 Last Updated:2021/12/23
JVNVU#94883311
TP-Link TL-WR802N V4(JP) vulnerable to OS command injection
Overview
TP-Link TL-WR802N V4(JP) is vulnerable to OS command injection.
Products Affected
- TP-Link TL-WR802N V4(JP) with firmware versions prior to 211202
Description
TP-Link TL-WR802N is a wifi router for home networks.
The firmware version 170705 is reported vulnerable to OS command injection (CWE-78).
Impact
Any user who can login to the web interface of the affected product may execute any OS commands.
Solution
Update the Firmware
Update to the latest version of the firmware according to the information provided by the developer.
The developer has released the firmware version 211202 to fix this vulnerability.
Vendor Status
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score:
7.2
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
CVSS v2
AV:N/AC:M/Au:S/C:C/I:C/A:C
Base Score:
8.5
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Koh You Liang of PwC Consulting LLC reported this vulnerability to the developer and JPCERT/CC.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2021-4144 |
| JVN iPedia |
|