Sign-up

ID

VAR-201904-0153


CVE

CVE-2019-5426


TITLE

Ubiquiti Networks EdgeSwitch X Access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-003379

DESCRIPTION

In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, an unauthenticated user can use the "local port forwarding" and "dynamic port forwarding" (SOCKS proxy) functionalities. Remote attackers without credentials can exploit this bug to access local services or forward traffic through the device if SSH is enabled in the system settings. Ubiquiti Networks EdgeSwitch X Contains an access control vulnerability.Information may be obtained and information may be altered. Ubiquiti Networks EdgeSwitch is a Gigabit network switch device from Ubiquiti Networks. A trust management issue vulnerability exists in Ubiquiti Networks EdgeSwitch X v1.1.0 and earlier. The vulnerability stems from the lack of effective trust management mechanisms in network systems or products. Attackers can use default passwords, hard-coded passwords, hard-coded certificates, etc. to attack affected components

Trust: 2.25

sources: NVD: CVE-2019-5426 // JVNDB: JVNDB-2019-003379 // CNVD: CNVD-2019-39182 // VULHUB: VHN-156861

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-39182

AFFECTED PRODUCTS

vendor:uimodel:edgeswitch xscope:lteversion:1.1.0

Trust: 1.0

vendor:ubiquitimodel:edgeswitch xscope:lteversion:1.1.0

Trust: 0.8

vendor:ubiquitimodel:networks edgeswitchscope:lteversion:<=1.1.0

Trust: 0.6

sources: CNVD: CNVD-2019-39182 // JVNDB: JVNDB-2019-003379 // NVD: CVE-2019-5426

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-5426
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-5426
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2019-39182
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201904-533
value: MEDIUM

Trust: 0.6

VULHUB: VHN-156861
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-5426
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-39182
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-156861
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-5426
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 2.5
version: 3.1

Trust: 1.0

NVD: CVE-2019-5426
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2019-39182 // VULHUB: VHN-156861 // JVNDB: JVNDB-2019-003379 // CNNVD: CNNVD-201904-533 // NVD: CVE-2019-5426

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.1

problemtype:CWE-284

Trust: 0.9

problemtype:CWE-255

Trust: 0.1

sources: VULHUB: VHN-156861 // JVNDB: JVNDB-2019-003379 // NVD: CVE-2019-5426

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-533

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201904-533

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-003379

PATCH
title:EdgeMAX EdgeSwitch X software release v1.1.1url:https://community.ubnt.com/t5/EdgeMAX-Updates-Blog/EdgeMAX-EdgeSwitch-X-software-release-v1-1-1/ba-p/2731137
Trust: 0.8
title:Patch for Ubiquiti Networks EdgeSwitch X Access Control Error Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/188641
Trust: 0.6
title:Ubiquiti Networks EdgeSwitch Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91348
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-39182 // 
            
            
            
            JVNDB: JVNDB-2019-003379 // 
            
            
            
            CNNVD: CNNVD-201904-533

EXTERNAL IDS
db:NVDid:CVE-2019-5426
Trust: 3.1
db:HACKERONEid:512958
Trust: 1.7
db:JVNDBid:JVNDB-2019-003379
Trust: 0.8
db:CNNVDid:CNNVD-201904-533
Trust: 0.7
db:CNVDid:CNVD-2019-39182
Trust: 0.6
db:VULHUBid:VHN-156861
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-39182 // 
            
            
            
            VULHUB: VHN-156861 // 
            
            
            
            JVNDB: JVNDB-2019-003379 // 
            
            
            
            CNNVD: CNNVD-201904-533 // 
            
            
            
            NVD: CVE-2019-5426

REFERENCES
url:https://nvd.nist.gov/vuln/detail/cve-2019-5426
Trust: 2.0
url:https://community.ubnt.com/t5/edgemax-updates-blog/edgemax-edgeswitch-x-software-release-v1-1-1/ba-p/2731137
Trust: 1.7
url:https://hackerone.com/reports/512958
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-5426
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2019-39182 // 
            
            
            
            VULHUB: VHN-156861 // 
            
            
            
            JVNDB: JVNDB-2019-003379 // 
            
            
            
            CNNVD: CNNVD-201904-533 // 
            
            
            
            NVD: CVE-2019-5426

SOURCES
db:CNVDid:CNVD-2019-39182
db:VULHUBid:VHN-156861
db:JVNDBid:JVNDB-2019-003379
db:CNNVDid:CNNVD-201904-533
db:NVDid:CVE-2019-5426

LAST UPDATE DATE
2024-11-23T22:25:58.066000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-39182date:2019-11-05T00:00:00
db:VULHUBid:VHN-156861date:2020-10-16T00:00:00
db:JVNDBid:JVNDB-2019-003379date:2019-05-16T00:00:00
db:CNNVDid:CNNVD-201904-533date:2020-10-28T00:00:00
db:NVDid:CVE-2019-5426date:2024-11-21T04:44:54.833

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-39182date:2019-11-05T00:00:00
db:VULHUBid:VHN-156861date:2019-04-10T00:00:00
db:JVNDBid:JVNDB-2019-003379date:2019-05-16T00:00:00
db:CNNVDid:CNNVD-201904-533date:2019-04-10T00:00:00
db:NVDid:CVE-2019-5426date:2019-04-10T18:29:00.620