CVE-2021-39280

Korenix Technology JetWave CSRF / Command Injection / Missing Authentication

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Certain Korenix JetWave devices allow authenticated users to execute arbitrary code as root via /syscmd.asp. This affects 2212X before 1.9.1, 2212S before 1.9.1, 2212G before 1.8, 3220 V3 before 1.5.1, 3420 V3 before 1.5.1, and 2311 through 2022-01-31.

Algunos dispositivos Korenix JetWave permiten a usuarios autenticados ejecutar código arbitrario como root por medio del archivo /syscmd.asp. Esto afecta al 2212X versiones anteriores a 1.9.1, al 2212S versiones anteriores a 1.9.1, al 2212G versiones anteriores a 1.8, al 3220 V3 versiones anteriores a 1.5.1, al 3420 V3 versiones anteriores a 1.5.1 y al 2311 hasta el 31-01-2022

Korenix Technology JetWave products JetWave 2212X, JetWave 2212S, JetWave 2212G, JetWave 2311, and JetWave 3220 suffer from unauthenticated device administration, cross site request forgery, multiple command injection, and unauthenticated tftp action vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-08-18 CVE Reserved
2022-02-04 CVE Published
2023-08-30 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (2)

URL	Tag	Source
http://packetstormsecurity.com/files/165875/Korenix-Technology-JetWave-CSRF-Command-Injection-Missing-Authentication.html	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://www.korenix.com/en/product/search.aspx?kw=JetWave	2022-02-11

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Korenix Search vendor "Korenix"	Jetwave 2212s Firmware Search vendor "Korenix" for product "Jetwave 2212s Firmware"	< 1.9.1 Search vendor "Korenix" for product "Jetwave 2212s Firmware" and version " < 1.9.1"	-	Affected	in	Korenix Search vendor "Korenix"	Jetwave 2212s Search vendor "Korenix" for product "Jetwave 2212s"	-	-	Safe
Korenix Search vendor "Korenix"	Jetwave 2212g Firmware Search vendor "Korenix" for product "Jetwave 2212g Firmware"	< 1.8 Search vendor "Korenix" for product "Jetwave 2212g Firmware" and version " < 1.8"	-	Affected	in	Korenix Search vendor "Korenix"	Jetwave 2212g Search vendor "Korenix" for product "Jetwave 2212g"	-	-	Safe
Korenix Search vendor "Korenix"	Jetwave 2311 Firmware Search vendor "Korenix" for product "Jetwave 2311 Firmware"	<= 1.2 Search vendor "Korenix" for product "Jetwave 2311 Firmware" and version " <= 1.2"	-	Affected	in	Korenix Search vendor "Korenix"	Jetwave 2311 Search vendor "Korenix" for product "Jetwave 2311"	-	-	Safe
Korenix Search vendor "Korenix"	Jetwave 3220 Firmware Search vendor "Korenix" for product "Jetwave 3220 Firmware"	< 1.5.1 Search vendor "Korenix" for product "Jetwave 3220 Firmware" and version " < 1.5.1"	-	Affected	in	Korenix Search vendor "Korenix"	Jetwave 3220 Search vendor "Korenix" for product "Jetwave 3220"	3 Search vendor "Korenix" for product "Jetwave 3220" and version "3"	-	Safe
Korenix Search vendor "Korenix"	Jetwave 3420 Firmware Search vendor "Korenix" for product "Jetwave 3420 Firmware"	< 1.5.1 Search vendor "Korenix" for product "Jetwave 3420 Firmware" and version " < 1.5.1"	-	Affected	in	Korenix Search vendor "Korenix"	Jetwave 3420 Search vendor "Korenix" for product "Jetwave 3420"	3 Search vendor "Korenix" for product "Jetwave 3420" and version "3"	-	Safe
Korenix Search vendor "Korenix"	Jetwave 2212x Firmware Search vendor "Korenix" for product "Jetwave 2212x Firmware"	< 1.9.1 Search vendor "Korenix" for product "Jetwave 2212x Firmware" and version " < 1.9.1"	-	Affected	in	Korenix Search vendor "Korenix"	Jetwave 2212x Search vendor "Korenix" for product "Jetwave 2212x"	-	-	Safe