Details of VAR-201910-0254

ID

VAR-201910-0254

CVE

CVE-2019-3421

TITLE

ZTE ZX297520V3 Vulnerability in injection

Trust: 0.8

sources: JVNDB: JVNDB-2019-011540

DESCRIPTION

The 7520V3V1.0.0B09P27 version, and all earlier versions of ZTE product ZX297520V3 are impacted by a Command Injection vulnerability. Unauthorized users can exploit this vulnerability to control the user terminal system. ZTE ZX297520V3 Contains an injection vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. ZTE Microelectronics is committed to providing overall solutions for 3G / 4G terminals, providing products such as baseband processors, radio frequency, application processors, and power chips. A remote command execution vulnerability exists in a process of ZTE's 4G baseband system. An attacker can remotely trigger the vulnerability in various ways to obtain root permissions of the baseband operating system

Trust: 2.16

sources: NVD: CVE-2019-3421 // JVNDB: JVNDB-2019-011540 // CNVD: CNVD-2019-27740

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-27740

AFFECTED PRODUCTS

vendor:	ztw	model:	zx297520v3	scope:	lte	version:	7520v3v1.0.0b09p27	Trust: 1.0
vendor:	zte	model:	zx297520v3	scope:	lte	version:	7520v3v1.0.0b09p27	Trust: 0.8
vendor:	zte	model:	zx297520v3 baseband chip	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2019-27740 // JVNDB: JVNDB-2019-011540 // NVD: CVE-2019-3421

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-3421
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-3421
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-27740
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201910-1898
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2019-3421
severity:	HIGH
baseScore:	7.7
vectorString:	AV:A/AC:L/AU:S/C:C/I:C/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	5.1
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-27740
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-3421
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.1
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-3421
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2019-27740 // JVNDB: JVNDB-2019-011540 // CNNVD: CNNVD-201910-1898 // NVD: CVE-2019-3421

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.0
problemtype:	CWE-74	Trust: 0.8

sources: JVNDB: JVNDB-2019-011540 // NVD: CVE-2019-3421

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201910-1898

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-201910-1898

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-011540

PATCH

title:	Command Injection Vulnerability in ZTE ZX297520V3	url:	http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1011643	Trust: 0.8
title:	A remote command execution vulnerability exists in a process of ZTE 4G baseband system	url:	https://www.cnvd.org.cn/patchInfo/show/172723	Trust: 0.6
title:	ZTE ZX297520V3 Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=101812	Trust: 0.6

sources: CNVD: CNVD-2019-27740 // JVNDB: JVNDB-2019-011540 // CNNVD: CNNVD-201910-1898

EXTERNAL IDS

db:	NVD	id:	CVE-2019-3421	Trust: 3.0
db:	ZTE	id:	1011643	Trust: 1.6
db:	JVNDB	id:	JVNDB-2019-011540	Trust: 0.8
db:	CNVD	id:	CNVD-2019-27740	Trust: 0.6
db:	CNNVD	id:	CNNVD-201910-1898	Trust: 0.6

sources: CNVD: CNVD-2019-27740 // JVNDB: JVNDB-2019-011540 // CNNVD: CNNVD-201910-1898 // NVD: CVE-2019-3421

REFERENCES

url:	http://support.zte.com.cn/support/news/loopholeinfodetail.aspx?newsid=1011643	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3421	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3421	Trust: 0.8

sources: JVNDB: JVNDB-2019-011540 // CNNVD: CNNVD-201910-1898 // NVD: CVE-2019-3421

SOURCES

db:	CNVD	id:	CNVD-2019-27740
db:	JVNDB	id:	JVNDB-2019-011540
db:	CNNVD	id:	CNNVD-201910-1898
db:	NVD	id:	CVE-2019-3421

LAST UPDATE DATE

2024-11-23T22:41:19.909000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-27740	date:	2019-11-04T00:00:00
db:	JVNDB	id:	JVNDB-2019-011540	date:	2019-11-12T00:00:00
db:	CNNVD	id:	CNNVD-201910-1898	date:	2020-10-28T00:00:00
db:	NVD	id:	CVE-2019-3421	date:	2024-11-21T04:42:03.990

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-27740	date:	2019-09-13T00:00:00
db:	JVNDB	id:	JVNDB-2019-011540	date:	2019-11-12T00:00:00
db:	CNNVD	id:	CNNVD-201910-1898	date:	2019-10-31T00:00:00
db:	NVD	id:	CVE-2019-3421	date:	2019-10-31T16:15:11.287