CVE-2022-41140

CWE-121 — Stack-based Buffer Overflow CWE-787 — Out-of-bounds Write4 documents4 sources

Severity

8.8HIGH

EPSS

2.0%

top 16.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dlink Dir-867 Firmware Dlink Dir-878 Firmware Dlink Dir-882-us Firmware +1 more

Timeline

PublishedJan 26

Description

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of multiple D-Link routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the lighttpd service, which listens on TCP port 80 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in …

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5d-link/multiple_routers1.30B07

▶NVDdlink/dir-867_firmware1.30b08

▶NVDdlink/dir-878_firmware1.30b06

▶NVDdlink/dir-882-us_firmware1.30b07

Patches

Patch: supportannouncement.us.dlink.com ↗Patch: supportannouncement.us.dlink.com ↗

🔴Vulnerability Details

GHSA

GHSA-qcrm-3jcv-ppvq: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of multiple D-Link routers↗2023-01-26

▶

CVEList

CVE-2022-41140: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of multiple D-Link routers↗2023-01-26

▶

VulnCheck

D-Link dir-882-us_firmware Stack-based Buffer Overflow↗2022

▶