Sign-up

ID

VAR-201907-0346


CVE

CVE-2019-12821


TITLE

Shenzhen Jisiwei i3 robot vacuum cleaner Access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-007216

DESCRIPTION

A vulnerability was found in the app 2.0 of the Shenzhen Jisiwei i3 robot vacuum cleaner, while adding a device to the account using a QR-code. The QR-code follows an easily predictable pattern that depends only on the specific device ID of the robot vacuum cleaner. By generating a QR-code containing information about the device ID, it is possible to connect an arbitrary device and gain full access to it. The device ID has an initial "JSW" substring followed by a six digit number that depends on the specific device. An access control error vulnerability exists in Jisiwei i3 with version 2.0 firmware. This vulnerability stems from network systems or products not properly restricting access to resources from unauthorized roles

Trust: 1.71

sources: NVD: CVE-2019-12821 // JVNDB: JVNDB-2019-007216 // VULHUB: VHN-144606

AFFECTED PRODUCTS

vendor:jisiweimodel:i3scope:eqversion:2.0

Trust: 1.0

vendor:jisiwei intelligentmodel:i3scope:eqversion:2.0

Trust: 0.8

sources: JVNDB: JVNDB-2019-007216 // NVD: CVE-2019-12821

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-12821
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-12821
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201907-1131
value: MEDIUM

Trust: 0.6

VULHUB: VHN-144606
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-12821
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-144606
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-12821
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 2.2
impactScore: 2.5
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-144606 // JVNDB: JVNDB-2019-007216 // CNNVD: CNNVD-201907-1131 // NVD: CVE-2019-12821

PROBLEMTYPE DATA

problemtype:CWE-330

Trust: 1.1

problemtype:CWE-284

Trust: 0.9

sources: VULHUB: VHN-144606 // JVNDB: JVNDB-2019-007216 // NVD: CVE-2019-12821

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201907-1131

TYPE

security feature problem

Trust: 0.6

sources: CNNVD: CNNVD-201907-1131

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-007216

PATCH
title:Top Pageurl:http://global.jisiwei.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2019-007216

EXTERNAL IDS
db:NVDid:CVE-2019-12821
Trust: 2.5
db:JVNDBid:JVNDB-2019-007216
Trust: 0.8
db:CNNVDid:CNNVD-201907-1131
Trust: 0.7
db:VULHUBid:VHN-144606
Trust: 0.1
sources:
            
            
            VULHUB: VHN-144606 // 
            
            
            
            JVNDB: JVNDB-2019-007216 // 
            
            
            
            CNNVD: CNNVD-201907-1131 // 
            
            
            
            NVD: CVE-2019-12821

REFERENCES
url:https://nvd.nist.gov/vuln/detail/cve-2019-12821
Trust: 1.4
url:https://www.kth.se/polopoly_fs/1.914058.1561621210!/olsson_larsson-forsberg_vacuum.pdf
Trust: 1.4
url:https://www.kth.se/polopoly_fs/1.914058.1561621210%21/olsson_larsson-forsberg_vacuum.pdf
Trust: 1.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12821
Trust: 0.8
sources:
            
            
            VULHUB: VHN-144606 // 
            
            
            
            JVNDB: JVNDB-2019-007216 // 
            
            
            
            CNNVD: CNNVD-201907-1131 // 
            
            
            
            NVD: CVE-2019-12821

SOURCES
db:VULHUBid:VHN-144606
db:JVNDBid:JVNDB-2019-007216
db:CNNVDid:CNNVD-201907-1131
db:NVDid:CVE-2019-12821

LAST UPDATE DATE
2024-11-23T22:16:57.889000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-144606date:2020-08-24T00:00:00
db:JVNDBid:JVNDB-2019-007216date:2019-08-05T00:00:00
db:CNNVDid:CNNVD-201907-1131date:2020-10-28T00:00:00
db:NVDid:CVE-2019-12821date:2024-11-21T04:23:39.330

SOURCES RELEASE DATE
db:VULHUBid:VHN-144606date:2019-07-19T00:00:00
db:JVNDBid:JVNDB-2019-007216date:2019-08-05T00:00:00
db:CNNVDid:CNNVD-201907-1131date:2019-07-19T00:00:00
db:NVDid:CVE-2019-12821date:2019-07-19T18:15:11.883