CVE-2021-45876

Multiple versions of GARO Wallbox GLB/GTB/GTC are affected by unauthenticated command injection. The url parameter of the function module downloadAndUpdate is vulnerable to an command Injection. Unfiltered user input is used to generate code which then gets executed when downloading new firmware.
References
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:garo:wallbox_gtb_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:garo:wallbox_gtb:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:garo:wallbox_gtc_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:garo:wallbox_gtc:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:garo:wallbox_glb_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:garo:wallbox_glb:-:*:*:*:*:*:*:*

History

21 Nov 2024, 06:33

Type Values Removed Values Added
References () https://github.com/delikely/advisory/tree/main/GARO - Third Party Advisory () https://github.com/delikely/advisory/tree/main/GARO - Third Party Advisory

28 Mar 2022, 17:04

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : 7.5
v3 : 9.8
References (MISC) https://github.com/delikely/advisory/tree/main/GARO - (MISC) https://github.com/delikely/advisory/tree/main/GARO - Third Party Advisory
CWE CWE-77
CPE cpe:2.3:h:garo:wallbox_glb:-:*:*:*:*:*:*:*
cpe:2.3:h:garo:wallbox_gtc:-:*:*:*:*:*:*:*
cpe:2.3:h:garo:wallbox_gtb:-:*:*:*:*:*:*:*
cpe:2.3:o:garo:wallbox_gtb_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:garo:wallbox_glb_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:garo:wallbox_gtc_firmware:*:*:*:*:*:*:*:*

21 Mar 2022, 11:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-03-21 11:15

Updated : 2024-11-21 06:33


NVD link : CVE-2021-45876

Mitre link : CVE-2021-45876

CVE.ORG link : CVE-2021-45876


JSON object : View

Products Affected

garo

  • wallbox_glb
  • wallbox_gtc
  • wallbox_gtb
  • wallbox_gtc_firmware
  • wallbox_gtb_firmware
  • wallbox_glb_firmware
CWE
CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')