PT-2022-23304 · Airspan · Airspan Airvelocity 1500
Vladionescu
·
Published
2022-08-16
·
Updated
2022-08-17
·
CVE-2022-36309
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Airspan AirVelocity 1500 versions prior to 15.18.00.2511
Description
The issue is related to a root command injection vulnerability in the
ActiveBank parameter of the recoverySubmit.cgi script, which runs on the eNodeB's web management UI. This vulnerability may also affect other AirVelocity and AirSpeed models.Recommendations
For versions prior to 15.18.00.2511, update to version 15.18.00.2511 or later to resolve the issue.
As a temporary workaround, consider restricting access to the
recoverySubmit.cgi script until a patch is available.
Avoid using the ActiveBank parameter in the affected script until the issue is resolved.Exploit
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Airspan Airvelocity 1500