Sign-up

ID

VAR-202002-0359


CVE

CVE-2019-5140


TITLE

Moxa AWK-3131A In firmware OS Command injection vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2019-014646

DESCRIPTION

An exploitable command injection vulnerability exists in the iwwebs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted diagnostic script file name can cause user input to be reflected in a subsequent iwsystem call, resulting in remote control over the device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability. (DoS) It may be put into a state. Moxa AWK-3131A is a wireless access device from Moxa. The vulnerability stems from the fact that the network system or product did not properly filter the special elements in the process of constructing executable commands from external input data. An attacker could use this vulnerability to execute an illegal command

Trust: 2.16

sources: NVD: CVE-2019-5140 // JVNDB: JVNDB-2019-014646 // CNVD: CNVD-2020-13477

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-13477

AFFECTED PRODUCTS

vendor:moxamodel:awk-3131ascope:eqversion:1.13

Trust: 2.4

sources: CNVD: CNVD-2020-13477 // JVNDB: JVNDB-2019-014646 // NVD: CVE-2019-5140

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-5140
value: HIGH

Trust: 1.0

talos-cna@cisco.com: CVE-2019-5140
value: HIGH

Trust: 1.0

NVD: JVNDB-2019-014646
value: HIGH

Trust: 0.8

CNVD: CNVD-2020-13477
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202002-1118
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2019-5140
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2019-014646
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-13477
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-5140
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

talos-cna@cisco.com: CVE-2019-5140
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.0

NVD: JVNDB-2019-014646
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-13477 // JVNDB: JVNDB-2019-014646 // CNNVD: CNNVD-202002-1118 // NVD: CVE-2019-5140 // NVD: CVE-2019-5140

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.8

sources: JVNDB: JVNDB-2019-014646 // NVD: CVE-2019-5140

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-1118

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202002-1118

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-014646

PATCH
title:AWK-3131A Seriesurl:https://www.moxa.com/en/products/industrial-network-infrastructure/wireless-ap-bridge-client/wlan-ap-bridge-client/awk-3131a-series
Trust: 0.8
title:Patch for Moxa AWK-3131A iw_webs Functional Operating System Command Injection Vulnerability (CNVD-2020-13477)url:https://www.cnvd.org.cn/patchInfo/show/204731
Trust: 0.6
title:Moxa AWK-3131A iw_webs Functional OS Command Injection Vulnerability Fixesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=110292
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-13477 // 
            
            
            
            JVNDB: JVNDB-2019-014646 // 
            
            
            
            CNNVD: CNNVD-202002-1118

EXTERNAL IDS
db:TALOSid:TALOS-2019-0929
Trust: 3.0
db:NVDid:CVE-2019-5140
Trust: 3.0
db:ICS CERTid:ICSA-20-063-04
Trust: 1.4
db:JVNDBid:JVNDB-2019-014646
Trust: 0.8
db:CNVDid:CNVD-2020-13477
Trust: 0.6
db:AUSCERTid:ESB-2020.0781
Trust: 0.6
db:CNNVDid:CNNVD-202002-1118
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-13477 // 
            
            
            
            JVNDB: JVNDB-2019-014646 // 
            
            
            
            CNNVD: CNNVD-202002-1118 // 
            
            
            
            NVD: CVE-2019-5140

REFERENCES
url:https://talosintelligence.com/vulnerability_reports/talos-2019-0929
Trust: 3.0
url:https://www.us-cert.gov/ics/advisories/icsa-20-063-04
Trust: 1.4
url:https://nvd.nist.gov/vuln/detail/cve-2019-5140
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-5140
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2020.0781/
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-13477 // 
            
            
            
            JVNDB: JVNDB-2019-014646 // 
            
            
            
            CNNVD: CNNVD-202002-1118 // 
            
            
            
            NVD: CVE-2019-5140

SOURCES
db:CNVDid:CNVD-2020-13477
db:JVNDBid:JVNDB-2019-014646
db:CNNVDid:CNNVD-202002-1118
db:NVDid:CVE-2019-5140

LAST UPDATE DATE
2024-11-23T22:05:48.573000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-13477date:2020-03-02T00:00:00
db:JVNDBid:JVNDB-2019-014646date:2020-03-26T00:00:00
db:CNNVDid:CNNVD-202002-1118date:2022-04-20T00:00:00
db:NVDid:CVE-2019-5140date:2024-11-21T04:44:25.613

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-13477date:2020-02-25T00:00:00
db:JVNDBid:JVNDB-2019-014646date:2020-03-06T00:00:00
db:CNNVDid:CNNVD-202002-1118date:2020-02-24T00:00:00
db:NVDid:CVE-2019-5140date:2020-02-25T16:15:10.657