CVE-2016-4863

CVE	CVE-2016-4863
State	PUBLISHED
Assigner	jpcert
Source Priority	CVE Program / NVD first with legacy fallback
Published	2017-05-22 16:29:00 UTC
Updated	2025-04-20 01:37:25 UTC
Description	The Toshiba FlashAir SD-WD/WC series Class 6 model with firmware version 1.00.04 and later, FlashAir SD-WD/WC series Class 10 model W-02 with firmware version 2.00.02 and later, FlashAir SD-WE series Class 10 model W-03, FlashAir Class 6 model with firmware version 1.00.04 and later, FlashAir II Class 10 model W-02 series with firmware version 2.00.02 and later, FlashAir III Class 10 model W-03 series, FlashAir Class 6 model with firmware version 1.00.04 and later, FlashAir W-02 series Class 10 model with firmware version 2.00.02 and later, FlashAir W-03 series Class 10 model does not require authentication on accepting a connection from STA side LAN when "Internet pass-thru Mode" is enabled, which allows attackers with access to STA side LAN can obtain files or data.

Primary CVSS: v3.0 4.3 MEDIUM from [email protected]

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem Types: CWE-287 | Lack of authentication mechanism

Version	Source	Type	Score	Severity	Vector
3.0	[email protected]	Primary	4.3	MEDIUM	`CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N`
2.0	[email protected]	Primary	3.3		`AV:A/AC:L/Au:N/C:P/I:N/A:N`

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Access Vector

Adjacent

Access Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

AV:A/AC:L/Au:N/C:P/I:N/A:N

Type	Vendor	Product	Version	Update	Edition	Language
Application	Toshiba	Flashair	All	All	All	All
Application	Toshiba	Flashair	All	All	All	All
Application	Toshiba	Flashair	All	All	All	All
Application	Toshiba	Flashair	All	All	All	All
Application	Toshiba	Flashair	All	All	All	All
Application	Toshiba	Flashair	All	All	All	All
Application	Toshiba	Flashair	All	All	All	All

Source	Vendor	Product	Version	Platforms
CNA	Toshiba	FlashAir SD-WD/WC Series Class 6 Model	affected firmware version 1.00.04 and later	Not specified
CNA	Toshiba	FlashAir SD-WD/WC Series Class 10 Model W-02	affected firmware version 2.00.02 and later	Not specified
CNA	Toshiba	FlashAir SD-WE Series Class 10 Model W-03	affected all firmware versions	Not specified
CNA	Toshiba	FlashAir Class 6 Model	affected firmware version 1.00.04 and later	Not specified
CNA	Toshiba	FlashAir II Class 10 Model W-02 Series	affected firmware version 2.00.02 and later	Not specified
CNA	Toshiba	FlashAir III Class 10 Model W-03 Series	affected all firmware versions	Not specified
CNA	Toshiba	FlashAir Class 6 Model	affected firmware version 1.00.04 and later	Not specified
CNA	Toshiba	FlashAir W-02 Series Class 10 Model	affected firmware version 2.00.02 and later	Not specified
CNA	Toshiba	FlashAir W-03 Series Class 10 Model	affected all firmware versions	Not specified

Reference	Source	Link	Tags
JVN#39619137: Toshiba FlashAir does not require authentication in "Internet pass-thru Mode"	af854a3a-2127-422b-91ae-364da2661108	jvn.jp	Third Party Advisory, VDB Entry
Multiple Toshiba FlashAir Products CVE-2016-4863 Security Bypass Vulnerability	af854a3a-2127-422b-91ae-364da2661108	www.securityfocus.com	Third Party Advisory, VDB Entry
jvndb.jvn.jp/jvndb/JVNDB-2016-000168	af854a3a-2127-422b-91ae-364da2661108	jvndb.jvn.jp	Third Party Advisory, VDB Entry
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.