CVE-2022-36308
CRITICALAirspan AirVelocity <15.18.00.2511 - Info Disclosure
Title source: llmDescription
Airspan AirVelocity 1500 web management UI displays SNMP credentials in plaintext on software versions older than 15.18.00.2511, and stores SNMPv3 credentials unhashed on the filesystem, enabling anyone with web access to use these credentials to manipulate the eNodeB over SNMP. This issue may affect other AirVelocity and AirSpeed models.
References (2)
Core 2
Core References
Permissions Required, Vendor Advisory x_refsource_confirm
https://helpdesk.airspan.com/browse/TRN3-1692
Third Party Advisory x_refsource_misc
https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-qjgc-rx8m-q58x
Scores
CVSS v3
9.1
EPSS
0.0060
EPSS Percentile
43.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-522
CWE-256
Status
published
Products (1)
airspan/airvelocity_1500_firmware
9.3.0.01249 - 15.18.00.2511
Published
Aug 16, 2022
Tracked Since
Feb 18, 2026