Sign-up

ID

VAR-201903-1399


CVE

CVE-2019-10656


TITLE

Grandstream GWN7000 Command injection vulnerability in devices

Trust: 0.8

sources: JVNDB: JVNDB-2019-003084

DESCRIPTION

Grandstream GWN7000 before 1.0.6.32 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/uci.apply update_nds_webroot_from_tmp API call. Grandstream GWN7000 The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Grandstream GWN7000 is an enterprise VPN router from Grandstream. There are security vulnerabilities in Grandstream GWN7000 versions prior to 1.0.6.32. An attacker could use this vulnerability to execute an illegal command

Trust: 2.16

sources: NVD: CVE-2019-10656 // JVNDB: JVNDB-2019-003084 // CNVD: CNVD-2019-42883

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-42883

AFFECTED PRODUCTS

vendor:grandstreammodel:gwn7000scope:ltversion:1.0.6.32

Trust: 2.4

sources: CNVD: CNVD-2019-42883 // JVNDB: JVNDB-2019-003084 // NVD: CVE-2019-10656

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-10656
value: HIGH

Trust: 1.0

NVD: CVE-2019-10656
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-42883
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201903-1221
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2019-10656
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-42883
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-10656
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-10656
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2019-42883 // JVNDB: JVNDB-2019-003084 // CNNVD: CNNVD-201903-1221 // NVD: CVE-2019-10656

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.0

problemtype:CWE-77

Trust: 0.8

sources: JVNDB: JVNDB-2019-003084 // NVD: CVE-2019-10656

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-1221

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201903-1221

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-003084

PATCH
title:Top Pageurl:http://www.grandstream.com/
Trust: 0.8
title:Patch for Grandstream GWN7000 Command Injection Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/192493
Trust: 0.6
title:Grandstream GWN7000 Fixes for command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90905
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-42883 // 
            
            
            
            JVNDB: JVNDB-2019-003084 // 
            
            
            
            CNNVD: CNNVD-201903-1221

EXTERNAL IDS
db:NVDid:CVE-2019-10656
Trust: 3.0
db:JVNDBid:JVNDB-2019-003084
Trust: 0.8
db:CNVDid:CNVD-2019-42883
Trust: 0.6
db:CNNVDid:CNNVD-201903-1221
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-42883 // 
            
            
            
            JVNDB: JVNDB-2019-003084 // 
            
            
            
            CNNVD: CNNVD-201903-1221 // 
            
            
            
            NVD: CVE-2019-10656

REFERENCES
url:https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920&dl=1
Trust: 2.4
url:https://github.com/scarvell/grandstream_exploits
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2019-10656
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10656
Trust: 0.8
url:https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920&dl;=1
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-42883 // 
            
            
            
            JVNDB: JVNDB-2019-003084 // 
            
            
            
            CNNVD: CNNVD-201903-1221 // 
            
            
            
            NVD: CVE-2019-10656

SOURCES
db:CNVDid:CNVD-2019-42883
db:JVNDBid:JVNDB-2019-003084
db:CNNVDid:CNNVD-201903-1221
db:NVDid:CVE-2019-10656

LAST UPDATE DATE
2024-11-23T22:51:51.032000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-42883date:2019-11-29T00:00:00
db:JVNDBid:JVNDB-2019-003084date:2019-05-09T00:00:00
db:CNNVDid:CNNVD-201903-1221date:2020-10-28T00:00:00
db:NVDid:CVE-2019-10656date:2024-11-21T04:19:41.287

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-42883date:2019-11-29T00:00:00
db:JVNDBid:JVNDB-2019-003084date:2019-05-09T00:00:00
db:CNNVDid:CNNVD-201903-1221date:2019-03-30T00:00:00
db:NVDid:CVE-2019-10656date:2019-03-30T17:29:00.433