CVE-2022-21196
published 2022-02-18CVE-2022-21196: MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.53%
87.8th percentile
MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not perform proper authorization and authentication checks on multiple API routes. An attacker may gain access to these API routes and achieve remote code execution, create a denial-of-service condition, and obtain sensitive information.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| airspan | a5x_firmware | < 2.5.4.1 | 2.5.4.1 |
| airspan | c5c_firmware | < 2.8.6.1 | 2.8.6.1 |
| airspan | c5x_firmware | < 2.8.6.1 | 2.8.6.1 |
| airspan | c6x_firmware | < 2.8.6.1 | 2.8.6.1 |
| airspan | mimosa_management_platform | < 1.0.3 | 1.0.3 |
| airspan_networks | mmp | >= unspecified < v1.0.3 | v1.0.3 |
| airspan_networks | ptmp_c-series_and_a5x | >= unspecified < v2.5.4.1 | v2.5.4.1 |
| airspan_networks | ptp_c-series | >= unspecified < v2.8.6.1 | v2.8.6.1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Airspan Networks Mimosa
cisa_ics·2022-02-03·CVSS 10.0
[CRITICAL] Airspan Networks Mimosa
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Airspan Networks Mimosa
Last RevisedFebruary 03, 2022
Alert CodeICSA-22-034-02
## 1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Airspan Networks
- Equipment: Mimosa by Airspan product line
- Vulnerabilities: Improper Authorization, Incorrect Authorization, Server-side Request Forgery, SQL Injection, Deserialization of Untrusted Data, OS Command Injection, Use of a Broken or Risky Cryptographic Algorithm
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to gain user data (in
GHSA
GHSA-vqjc-h5m3-4q6j: MMP: All versions prior to v1
ghsa_unreviewed·2022-02-19
CVE-2022-21196 [CRITICAL] CWE-285 GHSA-vqjc-h5m3-4q6j: MMP: All versions prior to v1
MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not perform proper authorization and authentication checks on multiple API routes. An attacker may gain access to these API routes and achieve remote code execution, create a denial-of-service condition, and obtain sensitive information.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-02-18
Published