CVE-2024-45348 - Vulnerability Details - OpenCVE

Xiaomi Router AX9000 has a post-authorization command injection vulnerability. This vulnerability is caused by the lack of validation of user input, and an attacker can exploit this vulnerability to execute arbitrary code.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Mi	Ax9000 Ax9000 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:mi:ax9000_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:mi:ax9000:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=547

History

Mon, 25 Nov 2024 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mi ax9000
CPEs		cpe:2.3:h:mi:ax9000:-:::::::*
Vendors & Products		Mi ax9000

Mon, 23 Sep 2024 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mi Mi ax9000 Firmware
CPEs		cpe:2.3:o:mi:ax9000_firmware::::::::
Vendors & Products		Mi Mi ax9000 Firmware
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 23 Sep 2024 09:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-77

Mon, 23 Sep 2024 08:45:00 +0000

Type	Values Removed	Values Added
Description		Xiaomi Router AX9000 has a post-authorization command injection vulnerability. This vulnerability is caused by the lack of validation of user input, and an attacker can exploit this vulnerability to execute arbitrary code.
Title		Xiaomi Router AX9000 has a post-authorization command injection vulnerability
References		https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=547
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: Xiaomi

Published: 2024-09-23T08:25:47.868Z

Updated: 2024-09-23T15:36:16.866Z

Reserved: 2024-08-28T02:24:34.837Z

Link: CVE-2024-45348

Vulnrichment

Updated: 2024-09-23T15:36:11.555Z

NVD

Status : Analyzed

Published: 2024-09-23T09:15:02.960

Modified: 2024-11-25T17:14:11.713

Link: CVE-2024-45348

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45348", "assignerOrgId": "b57733aa-7326-4f07-8e09-0be8e0df1909", "state": "PUBLISHED", "assignerShortName": "Xiaomi", "dateReserved": "2024-08-28T02:24:34.837Z", "datePublished": "2024-09-23T08:25:47.868Z", "dateUpdated": "2024-09-23T15:36:16.866Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Xiaomi Router AX9000", "vendor": "Xiaomi", "versions": [{"status": "affected", "version": "1.0.173"}]}], "datePublic": "2024-09-14T08:22:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(245, 247, 249);\">Xiaomi Router AX9000 has a post-authorization command injection vulnerability. This vulnerability is caused by the lack of validation of user input, and an attacker can exploit this vulnerability to execute arbitrary code.</span><br>"}], "value": "Xiaomi Router AX9000 has a post-authorization command injection vulnerability. This vulnerability is caused by the lack of validation of user input, and an attacker can exploit this vulnerability to execute arbitrary code."}], "impacts": [{"capecId": "CAPEC-108", "descriptions": [{"lang": "en", "value": "CAPEC-108 Command Line Execution through SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "b57733aa-7326-4f07-8e09-0be8e0df1909", "shortName": "Xiaomi", "dateUpdated": "2024-09-23T09:01:54.132Z"}, "references": [{"url": "https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=547"}], "source": {"discovery": "UNKNOWN"}, "title": "Xiaomi Router AX9000 has a post-authorization command injection vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "mi", "product": "ax9000_firmware", "cpes": ["cpe:2.3:o:mi:ax9000_firmware:*:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "1.0.173", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-23T15:34:09.867821Z", "id": "CVE-2024-45348", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T15:36:16.866Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45348", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-23T15:34:09.867821Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:mi:ax9000_firmware:*:*:*:*:*:*:*:*"], "vendor": "mi", "product": "ax9000_firmware", "versions": [{"status": "affected", "version": "1.0.173"}], "defaultStatus": "affected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T15:36:11.555Z"}}], "cna": {"title": "Xiaomi Router AX9000 has a post-authorization command injection vulnerability", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-108", "descriptions": [{"lang": "en", "value": "CAPEC-108 Command Line Execution through SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Xiaomi", "product": "Xiaomi Router AX9000", "versions": [{"status": "affected", "version": "1.0.173"}], "defaultStatus": "affected"}], "datePublic": "2024-09-14T08:22:00.000Z", "references": [{"url": "https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=547"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Xiaomi Router AX9000 has a post-authorization command injection vulnerability. This vulnerability is caused by the lack of validation of user input, and an attacker can exploit this vulnerability to execute arbitrary code.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(245, 247, 249);\">Xiaomi Router AX9000 has a post-authorization command injection vulnerability. This vulnerability is caused by the lack of validation of user input, and an attacker can exploit this vulnerability to execute arbitrary code.</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "b57733aa-7326-4f07-8e09-0be8e0df1909", "shortName": "Xiaomi", "dateUpdated": "2024-09-23T09:01:54.132Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45348", "state": "PUBLISHED", "dateUpdated": "2024-09-23T15:36:16.866Z", "dateReserved": "2024-08-28T02:24:34.837Z", "assignerOrgId": "b57733aa-7326-4f07-8e09-0be8e0df1909", "datePublished": "2024-09-23T08:25:47.868Z", "assignerShortName": "Xiaomi"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:mi:ax9000_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "7688CC6F-000D-4B68-B806-EBDF2ABDCF61", "versionEndExcluding": "1.0.174", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mi:ax9000:-:*:*:*:*:*:*:*", "matchCriteriaId": "A5F71A5A-A7D4-4218-B371-25BE040BB320", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Xiaomi Router AX9000 has a post-authorization command injection vulnerability. This vulnerability is caused by the lack of validation of user input, and an attacker can exploit this vulnerability to execute arbitrary code."}, {"lang": "es", "value": "Xiaomi Router AX9000 tiene una vulnerabilidad de inyecci\u00f3n de comandos posterior a la autorizaci\u00f3n. Esta vulnerabilidad se debe a la falta de validaci\u00f3n de la entrada del usuario y un atacante puede aprovecharla para ejecutar c\u00f3digo arbitrario."}], "id": "CVE-2024-45348", "lastModified": "2024-11-25T17:14:11.713", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.9, "source": "security@xiaomi.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-09-23T09:15:02.960", "references": [{"source": "security@xiaomi.com", "tags": ["Vendor Advisory"], "url": "https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=547"}], "sourceIdentifier": "security@xiaomi.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "security@xiaomi.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}]}