Sign-up

ID

VAR-201906-0405


CVE

CVE-2019-6961


TITLE

RDK RDKB WebUI Module access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-005850

DESCRIPTION

Incorrect access control in actionHandlerUtility.php in the RDK RDKB-20181217-1 WebUI module allows a logged in user to control DDNS, QoS, RIP, and other privileged configurations (intended only for the network operator) by sending an HTTP POST to the PHP backend, because the page filtering for non-superuser (in header.php) is done only for GET requests and not for direct AJAX calls. RDK RDKB WebUI The module contains an access control vulnerability.Information may be tampered with. RDK Management RDK is a modular, portable, and customizable open source IoT software solution for the RDK Management community

Trust: 2.7

sources: NVD: CVE-2019-6961 // JVNDB: JVNDB-2019-005850 // CNVD: CNVD-2019-19283 // CNNVD: CNNVD-201906-817

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-19283

AFFECTED PRODUCTS

vendor:rdkcentralmodel:rdkb ccsppandmscope:eqversion:rdkb-20181217-1

Trust: 1.0

vendor:rdk managementmodel:rdkb ccsppandmscope:eqversion:rdkb-20181217-1

Trust: 0.8

vendor:rdkmodel:rdkb-20181217-1scope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2019-19283 // JVNDB: JVNDB-2019-005850 // NVD: CVE-2019-6961

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-6961
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-6961
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2019-19283
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201906-817
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2019-6961
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-19283
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-6961
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2019-19283 // JVNDB: JVNDB-2019-005850 // CNNVD: CNNVD-201906-817 // NVD: CVE-2019-6961

PROBLEMTYPE DATA

problemtype:CWE-862

Trust: 1.0

problemtype:CWE-284

Trust: 0.8

sources: JVNDB: JVNDB-2019-005850 // NVD: CVE-2019-6961

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-817

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201906-817

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-005850

PATCH
title:RDK-B Componentsurl:https://wiki.rdkcentral.com/display/RDK/RDK-B+Components
Trust: 0.8
title:Patch for RDK WebUI Component Access Control Error Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/165311
Trust: 0.6
title:RDK WebUI Fixes for component access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93966
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-19283 // 
            
            
            
            JVNDB: JVNDB-2019-005850 // 
            
            
            
            CNNVD: CNNVD-201906-817

EXTERNAL IDS
db:NVDid:CVE-2019-6961
Trust: 3.0
db:JVNDBid:JVNDB-2019-005850
Trust: 0.8
db:CNVDid:CNVD-2019-19283
Trust: 0.6
db:CNNVDid:CNNVD-201906-817
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-19283 // 
            
            
            
            JVNDB: JVNDB-2019-005850 // 
            
            
            
            CNNVD: CNNVD-201906-817 // 
            
            
            
            NVD: CVE-2019-6961

REFERENCES
url:https://dojo.bullguard.com/dojo-by-bullguard/blog/the-gateway-is-wide-open
Trust: 2.4
url:https://nvd.nist.gov/vuln/detail/cve-2019-6961
Trust: 2.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6961
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2019-19283 // 
            
            
            
            JVNDB: JVNDB-2019-005850 // 
            
            
            
            CNNVD: CNNVD-201906-817 // 
            
            
            
            NVD: CVE-2019-6961

SOURCES
db:CNVDid:CNVD-2019-19283
db:JVNDBid:JVNDB-2019-005850
db:CNNVDid:CNNVD-201906-817
db:NVDid:CVE-2019-6961

LAST UPDATE DATE
2024-11-23T21:52:11.214000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-19283date:2019-06-26T00:00:00
db:JVNDBid:JVNDB-2019-005850date:2019-07-02T00:00:00
db:CNNVDid:CNNVD-201906-817date:2020-08-25T00:00:00
db:NVDid:CVE-2019-6961date:2024-11-21T04:47:18.573

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-19283date:2019-06-26T00:00:00
db:JVNDBid:JVNDB-2019-005850date:2019-07-02T00:00:00
db:CNNVDid:CNNVD-201906-817date:2019-06-20T00:00:00
db:NVDid:CVE-2019-6961date:2019-06-20T14:15:11.047