Vulnerability Name:

CVE-2017-16959 (CCN-135501)

Assigned:2017-11-27
Published:2017-11-27
Updated:2017-12-14
Summary:The locale feature in cgi-bin/luci on TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allows remote authenticated users to test for the existence of arbitrary files by making an operation=write;locale=%0d request, and then making an operation=read request with a crafted Accept-Language HTTP header, related to the set_sysinfo and get_sysinfo functions in /usr/lib/lua/luci/controller/locale.lua in uhttpd.
CVSS v3 Severity:6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
5.9 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
5.9 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-22
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2017-16959

Source: CCN
Type: TP-Link Web site
TP-Link Australia - WiFi Networking Equipment for Home & Business

Source: XF
Type: UNKNOWN
tplink-cve201716959-info-disc(135501)

Source: CCN
Type: TP-Link GIT Repository
Wireless-Router-Vulnerability/TplinkLocalePathDisclosure.txt

Source: MISC
Type: Exploit, Third Party Advisory
https://github.com/coincoin7/Wireless-Router-Vulnerability/blob/master/TplinkLocalePathDisclosure.txt

Vulnerable Configuration:Configuration 1:
  • cpe:/o:tp-link:tl-wvr300_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr300:-:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:tp-link:tl-wvr302_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr302:-:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:tp-link:tl-wvr450_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr450:-:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/o:tp-link:tl-wvr450l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr450l:-:*:*:*:*:*:*:*

    • Configuration 5:
  • cpe:/o:tp-link:tl-wvr450g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr450g:-:*:*:*:*:*:*:*

    • Configuration 6:
  • cpe:/o:tp-link:tl-wvr458_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr458:-:*:*:*:*:*:*:*

    • Configuration 7:
  • cpe:/o:tp-link:tl-wvr458l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr458l:-:*:*:*:*:*:*:*

    • Configuration 8:
  • cpe:/o:tp-link:tl-wvr458p_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr458p:-:*:*:*:*:*:*:*

    • Configuration 9:
  • cpe:/o:tp-link:tl-wvr900g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr900g:-:*:*:*:*:*:*:*

    • Configuration 10:
  • cpe:/o:tp-link:tl-wvr900l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr900l:-:*:*:*:*:*:*:*

    • Configuration 11:
  • cpe:/o:tp-link:tl-wvr1200l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr1200l:-:*:*:*:*:*:*:*

    • Configuration 12:
  • cpe:/o:tp-link:tl-wvr1300l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr1300l:-:*:*:*:*:*:*:*

    • Configuration 13:
  • cpe:/o:tp-link:tl-wvr1300g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-war1300g:-:*:*:*:*:*:*:*

    • Configuration 14:
  • cpe:/o:tp-link:tl-wvr1750l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr1750l:-:*:*:*:*:*:*:*

    • Configuration 15:
  • cpe:/o:tp-link:tl-war2600l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr2600l:-:*:*:*:*:*:*:*

    • Configuration 16:
  • cpe:/o:tp-link:tl-wvr4300l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr4300l:-:*:*:*:*:*:*:*

    • Configuration 17:
  • cpe:/o:tp-link:tl-war302_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-war302:-:*:*:*:*:*:*:*

    • Configuration 18:
  • cpe:/o:tp-link:tl-war450_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-war450:-:*:*:*:*:*:*:*

    • Configuration 19:
  • cpe:/o:tp-link:tl-war450l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-war450l:-:*:*:*:*:*:*:*

    • Configuration 20:
  • cpe:/o:tp-link:tl-war458_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-war458:-:*:*:*:*:*:*:*

    • Configuration 21:
  • cpe:/o:tp-link:tl-war458l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-war458l:-:*:*:*:*:*:*:*

    • Configuration 22:
  • cpe:/o:tp-link:tl-war900l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-war900l:-:*:*:*:*:*:*:*

    • Configuration 23:
  • cpe:/o:tp-link:tl-war1200l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-war1200l:-:*:*:*:*:*:*:*

    • Configuration 24:
  • cpe:/o:tp-link:tl-war1300l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-war1300l:-:*:*:*:*:*:*:*

    • Configuration 25:
  • cpe:/o:tp-link:tl-war1750l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-war1750l:-:*:*:*:*:*:*:*

    • Configuration 26:
  • cpe:/o:tp-link:tl-war2600l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-war2600l:-:*:*:*:*:*:*:*

    • Configuration 27:
  • cpe:/o:tp-link:tl-er3210g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-er3210g:-:*:*:*:*:*:*:*

    • Configuration 28:
  • cpe:/o:tp-link:tl-er3220g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-er3220g:-:*:*:*:*:*:*:*

    • Configuration 29:
  • cpe:/o:tp-link:tl-er5110g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-er5110g:-:*:*:*:*:*:*:*

    • Configuration 30:
  • cpe:/o:tp-link:tl-er5120g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-er5120g:-:*:*:*:*:*:*:*

    • Configuration 31:
  • cpe:/o:tp-link:tl-er5510g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-er5510g:-:*:*:*:*:*:*:*

    • Configuration 32:
  • cpe:/o:tp-link:tl-er5520g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-er5520g:-:*:*:*:*:*:*:*

    • Configuration 33:
  • cpe:/o:tp-link:tl-er6110g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-er6110g:-:*:*:*:*:*:*:*

    • Configuration 34:
  • cpe:/o:tp-link:tl-er6120g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-er6120g:-:*:*:*:*:*:*:*

    • Configuration 35:
  • cpe:/o:tp-link:tl-er6220g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-er6220g:-:*:*:*:*:*:*:*

    • Configuration 36:
  • cpe:/o:tp-link:tl-er6510g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-er6510g:-:*:*:*:*:*:*:*

    • Configuration 37:
  • cpe:/o:tp-link:tl-er6520g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-er6520g:-:*:*:*:*:*:*:*

    • Configuration 38:
  • cpe:/o:tp-link:tl-er7520g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-er7520g:-:*:*:*:*:*:*:*

    • Configuration 39:
  • cpe:/o:tp-link:tl-r473_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r473:-:*:*:*:*:*:*:*

    • Configuration 40:
  • cpe:/o:tp-link:tl-r473g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r473g:-:*:*:*:*:*:*:*

    • Configuration 41:
  • cpe:/o:tp-link:tl-r473p-ac_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r473p-ac:-:*:*:*:*:*:*:*

    • Configuration 42:
  • cpe:/o:tp-link:tl-r479gp-ac_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r473gp-ac:-:*:*:*:*:*:*:*

    • Configuration 43:
  • cpe:/o:tp-link:tl-r478_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r478:-:*:*:*:*:*:*:*

    • Configuration 44:
  • cpe:/o:tp-link:tl-r478+_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r478+:-:*:*:*:*:*:*:*

    • Configuration 45:
  • cpe:/o:tp-link:tl-r478g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r478g:-:*:*:*:*:*:*:*

    • Configuration 46:
  • cpe:/o:tp-link:tl-r478g+_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r478g+:-:*:*:*:*:*:*:*

    • Configuration 47:
  • cpe:/o:tp-link:tl-r479p-ac_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r479p-ac:-:*:*:*:*:*:*:*

    • Configuration 48:
  • cpe:/o:tp-link:tl-r479gp-ac_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r479gp-ac:-:*:*:*:*:*:*:*

    • Configuration 49:
  • cpe:/o:tp-link:tl-r479gpe-ac_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r479gpe-ac:-:*:*:*:*:*:*:*

    • Configuration 50:
  • cpe:/o:tp-link:tl-r483_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r483:-:*:*:*:*:*:*:*

    • Configuration 51:
  • cpe:/o:tp-link:tl-r483g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r483g:-:*:*:*:*:*:*:*

    • Configuration 52:
  • cpe:/o:tp-link:tl-r488_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r488:-:*:*:*:*:*:*:*

    • Configuration 53:
  • cpe:/o:tp-link:tl-r4149g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r4149g:-:*:*:*:*:*:*:*

    • Configuration 54:
  • cpe:/o:tp-link:tl-r4239g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r4239g:-:*:*:*:*:*:*:*

    • Configuration 55:
  • cpe:/o:tp-link:tl-r4299g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r4299g:-:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/h:tp-link:tl-wvr300:-:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-wvr4300l:-:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-war302:-:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-war2600l:-:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-er3210g:-:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-er7520g:-:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-r473:-:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-r4299g:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    tp-link tl-wvr300 firmware -
    tp-link tl-wvr300 -
    tp-link tl-wvr302 firmware -
    tp-link tl-wvr302 -
    tp-link tl-wvr450 firmware -
    tp-link tl-wvr450 -
    tp-link tl-wvr450l firmware -
    tp-link tl-wvr450l -
    tp-link tl-wvr450g firmware -
    tp-link tl-wvr450g -
    tp-link tl-wvr458 firmware -
    tp-link tl-wvr458 -
    tp-link tl-wvr458l firmware -
    tp-link tl-wvr458l -
    tp-link tl-wvr458p firmware -
    tp-link tl-wvr458p -
    tp-link tl-wvr900g firmware -
    tp-link tl-wvr900g -
    tp-link tl-wvr900l firmware -
    tp-link tl-wvr900l -
    tp-link tl-wvr1200l firmware -
    tp-link tl-wvr1200l -
    tp-link tl-wvr1300l firmware -
    tp-link tl-wvr1300l -
    tp-link tl-wvr1300g firmware -
    tp-link tl-war1300g -
    tp-link tl-wvr1750l firmware -
    tp-link tl-wvr1750l -
    tp-link tl-war2600l firmware -
    tp-link tl-wvr2600l -
    tp-link tl-wvr4300l firmware -
    tp-link tl-wvr4300l -
    tp-link tl-war302 firmware -
    tp-link tl-war302 -
    tp-link tl-war450 firmware -
    tp-link tl-war450 -
    tp-link tl-war450l firmware -
    tp-link tl-war450l -
    tp-link tl-war458 firmware -
    tp-link tl-war458 -
    tp-link tl-war458l firmware -
    tp-link tl-war458l -
    tp-link tl-war900l firmware -
    tp-link tl-war900l -
    tp-link tl-war1200l firmware -
    tp-link tl-war1200l -
    tp-link tl-war1300l firmware -
    tp-link tl-war1300l -
    tp-link tl-war1750l firmware -
    tp-link tl-war1750l -
    tp-link tl-war2600l firmware -
    tp-link tl-war2600l -
    tp-link tl-er3210g firmware -
    tp-link tl-er3210g -
    tp-link tl-er3220g firmware -
    tp-link tl-er3220g -
    tp-link tl-er5110g firmware -
    tp-link tl-er5110g -
    tp-link tl-er5120g firmware -
    tp-link tl-er5120g -
    tp-link tl-er5510g firmware -
    tp-link tl-er5510g -
    tp-link tl-er5520g firmware -
    tp-link tl-er5520g -
    tp-link tl-er6110g firmware -
    tp-link tl-er6110g -
    tp-link tl-er6120g firmware -
    tp-link tl-er6120g -
    tp-link tl-er6220g firmware -
    tp-link tl-er6220g -
    tp-link tl-er6510g firmware -
    tp-link tl-er6510g -
    tp-link tl-er6520g firmware -
    tp-link tl-er6520g -
    tp-link tl-er7520g firmware -
    tp-link tl-er7520g -
    tp-link tl-r473 firmware -
    tp-link tl-r473 -
    tp-link tl-r473g firmware -
    tp-link tl-r473g -
    tp-link tl-r473p-ac firmware -
    tp-link tl-r473p-ac -
    tp-link tl-r479gp-ac firmware -
    tp-link tl-r473gp-ac -
    tp-link tl-r478 firmware -
    tp-link tl-r478 -
    tp-link tl-r478+ firmware -
    tp-link tl-r478+ -
    tp-link tl-r478g firmware -
    tp-link tl-r478g -
    tp-link tl-r478g+ firmware -
    tp-link tl-r478g+ -
    tp-link tl-r479p-ac firmware -
    tp-link tl-r479p-ac -
    tp-link tl-r479gp-ac firmware -
    tp-link tl-r479gp-ac -
    tp-link tl-r479gpe-ac firmware -
    tp-link tl-r479gpe-ac -
    tp-link tl-r483 firmware -
    tp-link tl-r483 -
    tp-link tl-r483g firmware -
    tp-link tl-r483g -
    tp-link tl-r488 firmware -
    tp-link tl-r488 -
    tp-link tl-r4149g firmware -
    tp-link tl-r4149g -
    tp-link tl-r4239g firmware -
    tp-link tl-r4239g -
    tp-link tl-r4299g firmware -
    tp-link tl-r4299g -
    tp-link tl-wvr300 -
    tp-link tl-wvr4300l -
    tp-link tl-war302 -
    tp-link tl-war2600l -
    tp-link tl-er3210g -
    tp-link tl-er7520g -
    tp-link tl-r473 -
    tp-link tl-r4299g -