Details of VAR-201903-1402

ID

VAR-201903-1402

CVE

CVE-2019-10659

TITLE

Grandstream GXV3370 and WP820 Command injection vulnerability in devices

Trust: 0.8

sources: JVNDB: JVNDB-2019-003020

DESCRIPTION

Grandstream GXV3370 before 1.0.1.41 and WP820 before 1.0.3.6 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in a /manager?action=getlogcat priority field. Grandstream GXV3370 and WP820 The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both Grandstream GXV3370 and Grandstream WP820 are products of Grandstream. Grandstream GXV3370 is an IP video phone device. Grandstream WP820 is a portable business WiFi phone. There are security vulnerabilities in Grandstream GXV3370 versions before 1.0.1.41 and WP820 versions before 1.0.3.6. An attacker could use this vulnerability to execute an illegal command

Trust: 2.16

sources: NVD: CVE-2019-10659 // JVNDB: JVNDB-2019-003020 // CNVD: CNVD-2019-42880

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-42880

AFFECTED PRODUCTS

vendor:	grandstream	model:	gxv3370	scope:	lt	version:	1.0.1.41	Trust: 2.4
vendor:	grandstream	model:	wp820	scope:	lt	version:	1.0.3.6	Trust: 2.4

sources: CNVD: CNVD-2019-42880 // JVNDB: JVNDB-2019-003020 // NVD: CVE-2019-10659

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-10659
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-10659
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-42880
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201903-1224
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2019-10659
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-42880
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-10659
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-10659
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2019-42880 // JVNDB: JVNDB-2019-003020 // CNNVD: CNNVD-201903-1224 // NVD: CVE-2019-10659

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	CWE-77	Trust: 0.8

sources: JVNDB: JVNDB-2019-003020 // NVD: CVE-2019-10659

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-1224

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201903-1224

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-003020

PATCH

title:	Top Page	url:	http://www.grandstream.com/	Trust: 0.8
title:	Patch for Grandstream GXV3370 and Grandstream WP820 command injection vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/192497	Trust: 0.6
title:	Grandstream GXV3370 and Grandstream WP820 Fixes for command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90908	Trust: 0.6

sources: CNVD: CNVD-2019-42880 // JVNDB: JVNDB-2019-003020 // CNNVD: CNNVD-201903-1224

EXTERNAL IDS

db:	NVD	id:	CVE-2019-10659	Trust: 3.0
db:	JVNDB	id:	JVNDB-2019-003020	Trust: 0.8
db:	CNVD	id:	CNVD-2019-42880	Trust: 0.6
db:	CNNVD	id:	CNNVD-201903-1224	Trust: 0.6

sources: CNVD: CNVD-2019-42880 // JVNDB: JVNDB-2019-003020 // CNNVD: CNNVD-201903-1224 // NVD: CVE-2019-10659

REFERENCES

url:	https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920&dl=1	Trust: 1.6
url:	https://github.com/scarvell/grandstream_exploits	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2019-10659	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10659	Trust: 0.8
url:	https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920	Trust: 0.8
url:	https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920&dl;=1	Trust: 0.6

sources: CNVD: CNVD-2019-42880 // JVNDB: JVNDB-2019-003020 // CNNVD: CNNVD-201903-1224 // NVD: CVE-2019-10659

SOURCES

db:	CNVD	id:	CNVD-2019-42880
db:	JVNDB	id:	JVNDB-2019-003020
db:	CNNVD	id:	CNNVD-201903-1224
db:	NVD	id:	CVE-2019-10659

LAST UPDATE DATE

2024-11-23T22:21:44.280000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-42880	date:	2019-11-29T00:00:00
db:	JVNDB	id:	JVNDB-2019-003020	date:	2019-05-07T00:00:00
db:	CNNVD	id:	CNNVD-201903-1224	date:	2020-10-28T00:00:00
db:	NVD	id:	CVE-2019-10659	date:	2024-11-21T04:19:41.730

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-42880	date:	2019-11-29T00:00:00
db:	JVNDB	id:	JVNDB-2019-003020	date:	2019-05-07T00:00:00
db:	CNNVD	id:	CNNVD-201903-1224	date:	2019-03-30T00:00:00
db:	NVD	id:	CVE-2019-10659	date:	2019-03-30T17:29:00.557