Sign-up

ID

VAR-201908-0894


CVE

CVE-2019-14259


TITLE

Polycom Obihai Obi1022 VoIP phone Command injection vulnerability in some firmware

Trust: 0.8

sources: JVNDB: JVNDB-2019-007419

DESCRIPTION

On the Polycom Obihai Obi1022 VoIP phone with firmware 5.1.11, a command injection (missing input validation) issue in the NTP server IP address field for the "Time Service Settings web" interface allows an authenticated remote attacker in the same network to trigger OS commands via shell commands in a POST request. Polycom Obihai Obi1022 VoIP phone Has a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Polycom Obihai Obi1022 VoIP phone is an IP phone of American Polycom (Polycom) company. A command injection vulnerability exists in the Polycom Obihai Obi1022 VoIP phone with firmware version 5.1.11. This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data. Attackers can exploit this vulnerability to execute illegal commands

Trust: 1.71

sources: NVD: CVE-2019-14259 // JVNDB: JVNDB-2019-007419 // VULHUB: VHN-146187

AFFECTED PRODUCTS

vendor:polycommodel:obihai obi1022scope:eqversion:5.1.11

Trust: 1.8

sources: JVNDB: JVNDB-2019-007419 // NVD: CVE-2019-14259

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-14259
value: HIGH

Trust: 1.0

NVD: CVE-2019-14259
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201908-066
value: HIGH

Trust: 0.6

VULHUB: VHN-146187
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-14259
severity: HIGH
baseScore: 7.7
vectorString: AV:A/AC:L/AU:S/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 5.1
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-146187
severity: HIGH
baseScore: 7.7
vectorString: AV:A/AC:L/AU:S/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 5.1
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-14259
baseSeverity: HIGH
baseScore: 8.0
vectorString: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.1
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-146187 // JVNDB: JVNDB-2019-007419 // CNNVD: CNNVD-201908-066 // NVD: CVE-2019-14259

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.1

problemtype:CWE-77

Trust: 0.9

sources: VULHUB: VHN-146187 // JVNDB: JVNDB-2019-007419 // NVD: CVE-2019-14259

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201908-066

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201908-066

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-007419

PATCH
title:Polycom OBiurl:https://www.polycom.com/voice-conferencing-solutions/obi-software.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2019-007419

EXTERNAL IDS
db:NVDid:CVE-2019-14259
Trust: 2.5
db:JVNDBid:JVNDB-2019-007419
Trust: 0.8
db:CNNVDid:CNNVD-201908-066
Trust: 0.7
db:VULHUBid:VHN-146187
Trust: 0.1
sources:
            
            
            VULHUB: VHN-146187 // 
            
            
            
            JVNDB: JVNDB-2019-007419 // 
            
            
            
            CNNVD: CNNVD-201908-066 // 
            
            
            
            NVD: CVE-2019-14259

REFERENCES
url:https://www.sit.fraunhofer.de/fileadmin/dokumente/cve/advisory_obihai_obi1002.pdf?_=1563787869
Trust: 2.5
url:https://nvd.nist.gov/vuln/detail/cve-2019-14259
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-14259
Trust: 0.8
sources:
            
            
            VULHUB: VHN-146187 // 
            
            
            
            JVNDB: JVNDB-2019-007419 // 
            
            
            
            CNNVD: CNNVD-201908-066 // 
            
            
            
            NVD: CVE-2019-14259

SOURCES
db:VULHUBid:VHN-146187
db:JVNDBid:JVNDB-2019-007419
db:CNNVDid:CNNVD-201908-066
db:NVDid:CVE-2019-14259

LAST UPDATE DATE
2024-11-23T22:29:58.555000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-146187date:2020-08-24T00:00:00
db:JVNDBid:JVNDB-2019-007419date:2019-08-09T00:00:00
db:CNNVDid:CNNVD-201908-066date:2020-10-28T00:00:00
db:NVDid:CVE-2019-14259date:2024-11-21T04:26:18.903

SOURCES RELEASE DATE
db:VULHUBid:VHN-146187date:2019-08-01T00:00:00
db:JVNDBid:JVNDB-2019-007419date:2019-08-09T00:00:00
db:CNNVDid:CNNVD-201908-066date:2019-08-01T00:00:00
db:NVDid:CVE-2019-14259date:2019-08-01T15:15:14.937