CVE-2021-37384

RCE (Remote Code Execution) vulnerability was found in some Furukawa ONU models, this vulnerability allows remote unauthenticated users to send arbitrary commands to the device via web interface.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://cwe.mitre.org/data/definitions/94.html	Not Applicable
https://gist.githubusercontent.com/LuigiPolidorio/9fe61cf2edee63152161ffc52c39f6cd/raw/529cf49103e0fdf4eeb970fa1f62fa508ebe7c3c/reference.txt	Third Party Advisory
https://owasp.org/www-community/attacks/Code_Injection	Not Applicable
https://www.softwall.com.br/cves/publicacao-rce-html-injection-furukawa/
https://cwe.mitre.org/data/definitions/94.html	Not Applicable
https://gist.githubusercontent.com/LuigiPolidorio/9fe61cf2edee63152161ffc52c39f6cd/raw/529cf49103e0fdf4eeb970fa1f62fa508ebe7c3c/reference.txt	Third Party Advisory
https://owasp.org/www-community/attacks/Code_Injection	Not Applicable
https://www.softwall.com.br/cves/publicacao-rce-html-injection-furukawa/

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:furukawa:423-41w\/ac_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:furukawa:423-41w\/ac:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:furukawa:ld421-21w_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:furukawa:ld421-21w:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:furukawa:ld420-10r_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:furukawa:ld420-10r:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:furukawa:ld421-21wv_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:furukawa:ld421-21wv:-:*:*:*:*:*:*:*

History

21 Nov 2024, 06:15

Type	Values Removed	Values Added
References	~~() https://cwe.mitre.org/data/definitions/94.html - Not Applicable~~	() https://cwe.mitre.org/data/definitions/94.html - Not Applicable
References	~~() https://gist.githubusercontent.com/LuigiPolidorio/9fe61cf2edee63152161ffc52c39f6cd/raw/529cf49103e0fdf4eeb970fa1f62fa508ebe7c3c/reference.txt - Third Party Advisory~~	() https://gist.githubusercontent.com/LuigiPolidorio/9fe61cf2edee63152161ffc52c39f6cd/raw/529cf49103e0fdf4eeb970fa1f62fa508ebe7c3c/reference.txt - Third Party Advisory
References	~~() https://owasp.org/www-community/attacks/Code_Injection - Not Applicable~~	() https://owasp.org/www-community/attacks/Code_Injection - Not Applicable
References	~~() https://www.softwall.com.br/cves/publicacao-rce-html-injection-furukawa/ -~~	() https://www.softwall.com.br/cves/publicacao-rce-html-injection-furukawa/ -

01 Aug 2024, 13:42

Type	Values Removed	Values Added
CWE		CWE-94

16 May 2024, 22:15

Type	Values Removed	Values Added
Summary	(en) A remote command execution (RCE) vulnerability in the web interface component of Furukawa Electric LatAM 423-41W/AC before v1.1.4 and LD421-21W before v1.3.3 allows unauthenticated attackers to send arbitrary commands to the device via unspecified vectors.	(en) RCE (Remote Code Execution) vulnerability was found in some Furukawa ONU models, this vulnerability allows remote unauthenticated users to send arbitrary commands to the device via web interface.

22 Aug 2023, 23:15

Type	Values Removed	Values Added
References		(MISC) https://www.softwall.com.br/cves/publicacao-rce-html-injection-furukawa/ -

01 Aug 2023, 02:15

Type	Values Removed	Values Added
Summary	A remote command execution (RCE) vulnerability in the web interface component of Furukawa 423-41W/AC before v1.1.4 and LD421-21W before v1.3.3 allows unauthenticated attackers to send arbitrary commands to the device via unspecified vectors.	A remote command execution (RCE) vulnerability in the web interface component of Furukawa Electric LatAM 423-41W/AC before v1.1.4 and LD421-21W before v1.3.3 allows unauthenticated attackers to send arbitrary commands to the device via unspecified vectors.

28 Jul 2023, 13:16

Type	Values Removed	Values Added
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:o:furukawa:ld421-21w_firmware:::::::: cpe:2.3:h:furukawa:ld421-21wv:-:::::::* cpe:2.3:o:furukawa:423-41w\/ac_firmware:::::::: cpe:2.3:o:furukawa:ld420-10r_firmware:::::::: cpe:2.3:o:furukawa:ld421-21wv_firmware:::::::: cpe:2.3:h:furukawa:ld420-10r:-:::::::* cpe:2.3:h:furukawa:ld421-21w:-:::::::* cpe:2.3:h:furukawa:423-41w\/ac:-:::::::*
First Time		Furukawa ld421-21wv Furukawa 423-41w\/ac Furukawa ld421-21wv Firmware Furukawa ld420-10r Furukawa ld421-21w Furukawa ld420-10r Firmware Furukawa Furukawa ld421-21w Firmware Furukawa 423-41w\/ac Firmware
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
References	~~(MISC) https://gist.githubusercontent.com/LuigiPolidorio/9fe61cf2edee63152161ffc52c39f6cd/raw/529cf49103e0fdf4eeb970fa1f62fa508ebe7c3c/reference.txt -~~	(MISC) https://gist.githubusercontent.com/LuigiPolidorio/9fe61cf2edee63152161ffc52c39f6cd/raw/529cf49103e0fdf4eeb970fa1f62fa508ebe7c3c/reference.txt - Third Party Advisory
References	~~(MISC) https://owasp.org/www-community/attacks/Code_Injection -~~	(MISC) https://owasp.org/www-community/attacks/Code_Injection - Not Applicable
References	~~(MISC) https://cwe.mitre.org/data/definitions/94.html -~~	(MISC) https://cwe.mitre.org/data/definitions/94.html - Not Applicable

17 Jul 2023, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-07-17 21:15

Updated : 2024-11-21 06:15

NVD link : CVE-2021-37384

Mitre link : CVE-2021-37384

CVE.ORG link : CVE-2021-37384

JSON object : View

Products Affected

furukawa

ld421-21w
ld421-21w_firmware
ld420-10r_firmware
ld420-10r
423-41w\/ac_firmware
ld421-21wv_firmware
ld421-21wv
423-41w\/ac

CWE

NVD-CWE-noinfo CWE-94

Improper Control of Generation of Code ('Code Injection')

9.8 /10