Sign-up

ID

VAR-202002-0360


CVE

CVE-2019-5141


TITLE

Moxa AWK-3131A In firmware OS Command injection vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2019-014647

DESCRIPTION

An exploitable command injection vulnerability exists in the iw_webs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted iw_serverip parameter can cause user input to be reflected in a subsequent iw_system call, resulting in remote control over the device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability. (DoS) It may be put into a state. Moxa AWK-3131A is a wireless access device from Moxa. The vulnerability stems from the fact that the network system or product did not properly filter the special characters, commands, etc. during the process of constructing the executable command of the operating system by external input data

Trust: 2.16

sources: NVD: CVE-2019-5141 // JVNDB: JVNDB-2019-014647 // CNVD: CNVD-2020-13475

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-13475

AFFECTED PRODUCTS

vendor:moxamodel:awk-3131ascope:eqversion:1.13

Trust: 2.4

sources: CNVD: CNVD-2020-13475 // JVNDB: JVNDB-2019-014647 // NVD: CVE-2019-5141

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-5141
value: HIGH

Trust: 1.0

talos-cna@cisco.com: CVE-2019-5141
value: HIGH

Trust: 1.0

NVD: JVNDB-2019-014647
value: HIGH

Trust: 0.8

CNVD: CNVD-2020-13475
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202002-1122
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2019-5141
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2019-014647
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-13475
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-5141
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

talos-cna@cisco.com: CVE-2019-5141
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.0

NVD: JVNDB-2019-014647
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-13475 // JVNDB: JVNDB-2019-014647 // CNNVD: CNNVD-202002-1122 // NVD: CVE-2019-5141 // NVD: CVE-2019-5141

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.8

sources: JVNDB: JVNDB-2019-014647 // NVD: CVE-2019-5141

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-1122

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202002-1122

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-014647

PATCH
title:AWK-3131A Seriesurl:https://www.moxa.com/en/products/industrial-network-infrastructure/wireless-ap-bridge-client/wlan-ap-bridge-client/awk-3131a-series
Trust: 0.8
title:Patch for Moxa AWK-3131A iw_webs feature operating system command injection vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/204741
Trust: 0.6
title:Moxa AWK-3131A iw_webs Functional OS Command Injection Vulnerability Fixesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=110295
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-13475 // 
            
            
            
            JVNDB: JVNDB-2019-014647 // 
            
            
            
            CNNVD: CNNVD-202002-1122

EXTERNAL IDS
db:NVDid:CVE-2019-5141
Trust: 3.0
db:TALOSid:TALOS-2019-0930
Trust: 3.0
db:ICS CERTid:ICSA-20-063-04
Trust: 1.4
db:JVNDBid:JVNDB-2019-014647
Trust: 0.8
db:CNVDid:CNVD-2020-13475
Trust: 0.6
db:AUSCERTid:ESB-2020.0781
Trust: 0.6
db:CNNVDid:CNNVD-202002-1122
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-13475 // 
            
            
            
            JVNDB: JVNDB-2019-014647 // 
            
            
            
            CNNVD: CNNVD-202002-1122 // 
            
            
            
            NVD: CVE-2019-5141

REFERENCES
url:https://talosintelligence.com/vulnerability_reports/talos-2019-0930
Trust: 3.0
url:https://www.us-cert.gov/ics/advisories/icsa-20-063-04
Trust: 1.4
url:https://nvd.nist.gov/vuln/detail/cve-2019-5141
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-5141
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2020.0781/
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-13475 // 
            
            
            
            JVNDB: JVNDB-2019-014647 // 
            
            
            
            CNNVD: CNNVD-202002-1122 // 
            
            
            
            NVD: CVE-2019-5141

SOURCES
db:CNVDid:CNVD-2020-13475
db:JVNDBid:JVNDB-2019-014647
db:CNNVDid:CNNVD-202002-1122
db:NVDid:CVE-2019-5141

LAST UPDATE DATE
2024-11-23T22:05:48.408000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-13475date:2020-02-25T00:00:00
db:JVNDBid:JVNDB-2019-014647date:2020-03-26T00:00:00
db:CNNVDid:CNNVD-202002-1122date:2022-04-20T00:00:00
db:NVDid:CVE-2019-5141date:2024-11-21T04:44:25.733

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-13475date:2020-02-25T00:00:00
db:JVNDBid:JVNDB-2019-014647date:2020-03-06T00:00:00
db:CNNVDid:CNNVD-202002-1122date:2020-02-24T00:00:00
db:NVDid:CVE-2019-5141date:2020-02-25T16:15:10.703