CVE-2022-24990

CVSS V2 None CVSS V3 None
Description
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
Overview
  • CVE ID
  • CVE-2022-24990
  • Assigner
  • cve@mitre.org
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2023-02-07T18:15:09
  • Last Modified Date
  • 2023-02-16T14:24:23
Weakness Enumerations
CWE URL
NVD-CWE-noinfo http://cwe.mitre.org/data/definitions/NVD-noinfo.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
AND
cpe:2.3:o:terra-master:terramaster_operating_system:*:*:*:*:*:*:*:* 1 OR 4.2.31
cpe:2.3:h:terra-master:f2-210:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:f2-221:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:f2-223:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:f2-422:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:f2-423:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:f4-421:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:f4-422:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:f4-423:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:f5-221:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:f5-422:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:t12-423:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:t12-450:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:t6-423:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:t9-423:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:t9-450:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:u12-322-9100:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:u12-423:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:u12-722-2224:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:u16-322-9100:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:u16-722-2224:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:u24-722-2224:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:u4-111:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:u4-211:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:u4-423:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:u8-111:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:u8-322-9100:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:u8-423:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:u8-522-9400:-:*:*:*:*:*:*:* 0 OR
cpe:2.3:h:terra-master:u8-722-2224:-:*:*:*:*:*:*:* 0 OR
References
Reference URL Reference Tags
https://forum.terra-master.com/en/viewforum.php?f=28 Issue Tracking Release Notes
https://github.com/0xf4n9x/CVE-2022-24990 Exploit Third Party Advisory
https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/ Exploit Third Party Advisory
https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732 Third Party Advisory
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-24990
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24990
History
Created Old Value New Value Data Type Notes
2023-04-17 07:20:33 Added to TrackCVE
2023-04-17 07:20:36 Weakness Enumeration new