CVE-2022-0138
published 2022-02-18CVE-2022-0138: MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 has a…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.97%
57.5th percentile
MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 has a deserialization function that does not validate or check the data, allowing arbitrary classes to be created.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| airspan | a5x_firmware | < 2.5.4.1 | 2.5.4.1 |
| airspan | c5c_firmware | < 2.8.6.1 | 2.8.6.1 |
| airspan | c5x_firmware | < 2.8.6.1 | 2.8.6.1 |
| airspan | c6x_firmware | < 2.8.6.1 | 2.8.6.1 |
| airspan | mimosa_management_platform | < 1.0.3 | 1.0.3 |
| airspan_networks | mmp | >= unspecified < v1.0.3 | v1.0.3 |
| airspan_networks | ptmp_c-series_and_a5x | >= unspecified < v2.5.4.1 | v2.5.4.1 |
| airspan_networks | ptp_c-series | >= unspecified < v2.8.6.1 | v2.8.6.1 |
| chrome_chrome | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r92v-ww59-8xpg: MMP: All versions prior to v1
ghsa_unreviewed·2022-02-19
CVE-2022-0138 [HIGH] CWE-502 GHSA-r92v-ww59-8xpg: MMP: All versions prior to v1
MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 has a deserialization function that does not validate or check the data, allowing arbitrary classes to be created.
Chrome
Stable Channel Update for Desktop: CVE-2023-0138
vendor_chrome·2023-01-10·CVSS 8.8
CVE-2023-0138 [LOW] Stable Channel Update for Desktop: CVE-2023-0138
Stable Channel Update for Desktop
CVE-2023-0138: Heap buffer overflow in libphonenumber. Reported by Michael Dau on 2022-07-23 [$2000][ 1367632 ] Low CVE-2023-0139: Insufficient validation of untrusted input in Downloads
Reported by Axel Chong on 2022-09-24 [$1000][ 1326788 ] Low CVE-2023-0140: Inappropriate implementation in File System API
Severity: low
CISA ICS
Airspan Networks Mimosa
cisa_ics·2022-02-03·CVSS 10.0
[CRITICAL] Airspan Networks Mimosa
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Airspan Networks Mimosa
Last RevisedFebruary 03, 2022
Alert CodeICSA-22-034-02
## 1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Airspan Networks
- Equipment: Mimosa by Airspan product line
- Vulnerabilities: Improper Authorization, Incorrect Authorization, Server-side Request Forgery, SQL Injection, Deserialization of Untrusted Data, OS Command Injection, Use of a Broken or Risky Cryptographic Algorithm
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to gain user data (in
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-02-18
Published