Details of VAR-201907-0423

ID

VAR-201907-0423

CVE

CVE-2019-12324

TITLE

Akuvox R50P VoIP phone Command injection vulnerability in some firmware

Trust: 0.8

sources: JVNDB: JVNDB-2019-007284

DESCRIPTION

A command injection (missing input validation) issue in the IP address field for the logging server in the configuration web interface on the Akuvox R50P VoIP phone with firmware 50.0.6.156 allows an authenticated remote attacker in the same network to trigger OS commands via shell metacharacters in a POST request. Akuvox R50P VoIP phone Has a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. AKUVOXNETWORKSR50PVoIPphone is an IP phone from China AKUVOXNETWORKS. The vulnerability stems from the process of constructing code snippets from external input data, and the network system or product does not properly filter the special elements. An attacker could exploit the vulnerability to generate an illegal code segment that modifies the expected execution control flow of a network system or component

Trust: 2.25

sources: NVD: CVE-2019-12324 // JVNDB: JVNDB-2019-007284 // CNVD: CNVD-2019-24008 // VULHUB: VHN-144059

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-24008

AFFECTED PRODUCTS

vendor:	akuvox	model:	sp-r50p	scope:	eq	version:	50.0.6.156	Trust: 1.8
vendor:	akuvox	model:	networks akuvox networks r50p voip phone	scope:	eq	version:	50.0.6.156	Trust: 0.6

sources: CNVD: CNVD-2019-24008 // JVNDB: JVNDB-2019-007284 // NVD: CVE-2019-12324

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-12324
value:	HIGH
Trust: 1.0
cve@mitre.org:	CVE-2019-12324
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-12324
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-24008
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201907-1175
value:	HIGH
Trust: 0.6
VULHUB:	VHN-144059
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-12324
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-24008
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-144059
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-12324
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.0
Trust: 2.8

sources: CNVD: CNVD-2019-24008 // VULHUB: VHN-144059 // JVNDB: JVNDB-2019-007284 // CNNVD: CNNVD-201907-1175 // NVD: CVE-2019-12324 // NVD: CVE-2019-12324

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.1
problemtype:	CWE-77	Trust: 0.9

sources: VULHUB: VHN-144059 // JVNDB: JVNDB-2019-007284 // NVD: CVE-2019-12324

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201907-1175

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201907-1175

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-007284

PATCH

title:

Akuvox SP-R50P Entry-level IP Phone

url:

http://www.akuvox.com/2e663dea-afdf-03f1-58da-730cfd9b8357/1272ef16-f460-f184-7dd2-8b39d87c84e4.shtml

Trust: 0.8

sources: JVNDB: JVNDB-2019-007284

EXTERNAL IDS

db:	NVD	id:	CVE-2019-12324	Trust: 3.1
db:	JVNDB	id:	JVNDB-2019-007284	Trust: 0.8
db:	CNNVD	id:	CNNVD-201907-1175	Trust: 0.7
db:	CNVD	id:	CNVD-2019-24008	Trust: 0.6
db:	VULHUB	id:	VHN-144059	Trust: 0.1

sources: CNVD: CNVD-2019-24008 // VULHUB: VHN-144059 // JVNDB: JVNDB-2019-007284 // CNNVD: CNNVD-201907-1175 // NVD: CVE-2019-12324

REFERENCES

url:	https://www.sit.fraunhofer.de/fileadmin/dokumente/cve/advisory_akuvox_r50p.pdf	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-12324	Trust: 2.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12324	Trust: 0.8

sources: CNVD: CNVD-2019-24008 // VULHUB: VHN-144059 // JVNDB: JVNDB-2019-007284 // CNNVD: CNNVD-201907-1175 // NVD: CVE-2019-12324

SOURCES

db:	CNVD	id:	CNVD-2019-24008
db:	VULHUB	id:	VHN-144059
db:	JVNDB	id:	JVNDB-2019-007284
db:	CNNVD	id:	CNNVD-201907-1175
db:	NVD	id:	CVE-2019-12324

LAST UPDATE DATE

2024-11-23T22:33:49.731000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-24008	date:	2019-07-24T00:00:00
db:	VULHUB	id:	VHN-144059	date:	2020-08-24T00:00:00
db:	JVNDB	id:	JVNDB-2019-007284	date:	2019-08-06T00:00:00
db:	CNNVD	id:	CNNVD-201907-1175	date:	2020-10-28T00:00:00
db:	NVD	id:	CVE-2019-12324	date:	2024-11-21T04:22:37.093

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-24008	date:	2019-07-24T00:00:00
db:	VULHUB	id:	VHN-144059	date:	2019-07-22T00:00:00
db:	JVNDB	id:	JVNDB-2019-007284	date:	2019-08-06T00:00:00
db:	CNNVD	id:	CNNVD-201907-1175	date:	2019-07-22T00:00:00
db:	NVD	id:	CVE-2019-12324	date:	2019-07-22T16:15:11.597