Details of VAR-201812-1155

ID

VAR-201812-1155

CVE

CVE-2018-20575

TITLE

Orange Livebox Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-013686

DESCRIPTION

Orange Livebox 00.96.320S devices have an undocumented /system_firmwarel.stm URI for manual firmware update. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2. Orange Livebox Contains an input validation vulnerability.Information may be tampered with. The Orange Livebox is an ADSL (Asymmetric Digital Subscriber Line) modem. An attacker could exploit this vulnerability to manually update the firmware

Trust: 1.8

sources: NVD: CVE-2018-20575 // JVNDB: JVNDB-2018-013686 // VULHUB: VHN-131395 // VULMON: CVE-2018-20575

AFFECTED PRODUCTS

vendor:	orange	model:	arv7519rw22 livebox 2.1	scope:	eq	version:	00.96.320s	Trust: 1.0
vendor:	orange	model:	livebox	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2018-013686 // NVD: CVE-2018-20575

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-20575
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-20575
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201812-1241
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-131395
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2018-20575
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-20575
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-131395
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-20575
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-131395 // VULMON: CVE-2018-20575 // JVNDB: JVNDB-2018-013686 // CNNVD: CNNVD-201812-1241 // NVD: CVE-2018-20575

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-131395 // JVNDB: JVNDB-2018-013686 // NVD: CVE-2018-20575

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201812-1241

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201812-1241

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-013686

PATCH

title:	Top Page	url:	https://www.orange.com/en/home	Trust: 0.8
title:	LIVEBOX-0DAY	url:	https://github.com/zadewg/LIVEBOX-0DAY	Trust: 0.1

sources: VULMON: CVE-2018-20575 // JVNDB: JVNDB-2018-013686

EXTERNAL IDS

db:	NVD	id:	CVE-2018-20575	Trust: 2.6
db:	JVNDB	id:	JVNDB-2018-013686	Trust: 0.8
db:	CNNVD	id:	CNNVD-201812-1241	Trust: 0.7
db:	VULHUB	id:	VHN-131395	Trust: 0.1
db:	VULMON	id:	CVE-2018-20575	Trust: 0.1

sources: VULHUB: VHN-131395 // VULMON: CVE-2018-20575 // JVNDB: JVNDB-2018-013686 // CNNVD: CNNVD-201812-1241 // NVD: CVE-2018-20575

REFERENCES

url:	https://github.com/zadewg/livebox-0day	Trust: 2.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-20575	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-20575	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/20.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/154879	Trust: 0.1

sources: VULHUB: VHN-131395 // VULMON: CVE-2018-20575 // JVNDB: JVNDB-2018-013686 // CNNVD: CNNVD-201812-1241 // NVD: CVE-2018-20575

SOURCES

db:	VULHUB	id:	VHN-131395
db:	VULMON	id:	CVE-2018-20575
db:	JVNDB	id:	JVNDB-2018-013686
db:	CNNVD	id:	CNNVD-201812-1241
db:	NVD	id:	CVE-2018-20575

LAST UPDATE DATE

2024-11-23T21:52:36.859000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-131395	date:	2019-01-23T00:00:00
db:	VULMON	id:	CVE-2018-20575	date:	2019-01-23T00:00:00
db:	JVNDB	id:	JVNDB-2018-013686	date:	2019-02-28T00:00:00
db:	CNNVD	id:	CNNVD-201812-1241	date:	2019-02-11T00:00:00
db:	NVD	id:	CVE-2018-20575	date:	2024-11-21T04:01:45.957

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-131395	date:	2018-12-28T00:00:00
db:	VULMON	id:	CVE-2018-20575	date:	2018-12-28T00:00:00
db:	JVNDB	id:	JVNDB-2018-013686	date:	2019-02-28T00:00:00
db:	CNNVD	id:	CNNVD-201812-1241	date:	2018-12-29T00:00:00
db:	NVD	id:	CVE-2018-20575	date:	2018-12-28T17:29:00.823