On certain Ubiquiti devices, Command Injection exists via a GET request to stainfo.cgi (aka Show AP info) because the ifname variable is not sanitized, as demonstrated by shell metacharacters. The fixed version is v4.0.1 for 802.11 ISP products, v5.3.5 for AirMax ISP products, and v5.4.5 for AirSync firmware. For example, Nanostation5 (Air OS) is affected.
oryginał ENCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HUi Airos
OSUi< 4.0.14.0.2 – 5.3.5 (bez)5.3.6 – 5.4.5 (bez)
CISA KEV — szczegółyi
- Dostawcai
- Ubiquiti
- Produkti
- AirOS
- Data dodania do KEVi
- 15 kwietnia 2022
- Termin remediation (USA)i
- 6 maja 2022(po terminie)
Zastosuj aktualizacje zgodnie z instrukcjami producenta.
▸ Pokaż oryginał (EN)
Apply updates per vendor instructions.
Niektóre urządzenia Ubiquiti zawierają lukę command injection poprzez żądanie GET do stainfo.cgi.
▸ Pokaż oryginał (EN)
Certain Ubiquiti devices contain a command injection vulnerability via a GET request to stainfo.cgi.
Powiązane podatności
We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vuln...
We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vuln...
Denial of Service attack in airMAX < 8.3.2 , airMAX < 6.0.7 and EdgeMAX < 1.9.7 allow attackers to use the Dis...
We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vuln...
Nieprawidłowa kontrola dostępu w UniFi OS — nieautoryzowane zmiany systemowe