Details of VAR-202003-0624

ID

VAR-202003-0624

CVE

CVE-2019-15654

TITLE

Comba AP2600-I Inadequate protection of credentials on devices

Trust: 0.8

sources: JVNDB: JVNDB-2019-015141

DESCRIPTION

Comba AC2400 devices are prone to password disclosure via a simple crafted /09/business/upgrade/upcfgAction.php?download=true request to the web management server. The request doesn't require any authentication and will lead to saving the DBconfig.cfg file. At the end of the file, the login information is stored in cleartext. Comba AP2600-I Devices contain vulnerabilities in insufficient protection of credentials.Information may be obtained. Comba Telecom AP2600-I is a wireless access point device from India's Comba Telecom. The upcfgAction.php file in Comba Telecom AP2600-I devices A02,0202N00PD2 and previous versions has a security vulnerability, and remote attackers can use the special request to use the vulnerability to obtain sensitive information

Trust: 2.25

sources: NVD: CVE-2019-15654 // JVNDB: JVNDB-2019-015141 // CNVD: CNVD-2020-22257 // VULMON: CVE-2019-15654

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-22257

AFFECTED PRODUCTS

vendor:	comba	model:	ac2400	scope:	eq	version:	*	Trust: 1.0
vendor:	comba	model:	ap2600-i - a02 - 0202n00pd2	scope:	-	version:	-	Trust: 0.8
vendor:	comba	model:	telecom ap2600-i devices a02	scope:	-	version:	-	Trust: 0.6
vendor:	comba	model:	telecom ap2600-i devices <=0202n00pd2	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2020-22257 // JVNDB: JVNDB-2019-015141 // NVD: CVE-2019-15654

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-15654
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2019-015141
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-22257
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202003-1192
value:	HIGH
Trust: 0.6
VULMON:	CVE-2019-15654
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-15654
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
NVD:	JVNDB-2019-015141
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-22257
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-15654
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	JVNDB-2019-015141
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-22257 // VULMON: CVE-2019-15654 // JVNDB: JVNDB-2019-015141 // CNNVD: CNNVD-202003-1192 // NVD: CVE-2019-15654

PROBLEMTYPE DATA

problemtype:	CWE-306	Trust: 1.0
problemtype:	CWE-522	Trust: 0.8

sources: JVNDB: JVNDB-2019-015141 // NVD: CVE-2019-15654

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-1192

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202003-1192

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-015141

PATCH

title:	PRESS ROOM	url:	https://www.comba-telecom.com/en/news	Trust: 0.8
title:	-	url:	https://github.com/Live-Hack-CVE/CVE-2019-15654	Trust: 0.1

sources: VULMON: CVE-2019-15654 // JVNDB: JVNDB-2019-015141

EXTERNAL IDS

db:	NVD	id:	CVE-2019-15654	Trust: 3.1
db:	JVNDB	id:	JVNDB-2019-015141	Trust: 0.8
db:	CNVD	id:	CNVD-2020-22257	Trust: 0.6
db:	CNNVD	id:	CNNVD-202003-1192	Trust: 0.6
db:	VULMON	id:	CVE-2019-15654	Trust: 0.1

sources: CNVD: CNVD-2020-22257 // VULMON: CVE-2019-15654 // JVNDB: JVNDB-2019-015141 // CNNVD: CNNVD-202003-1192 // NVD: CVE-2019-15654

REFERENCES

url:	https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=26164	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-15654	Trust: 2.0
url:	https://www.comba-telecom.com/en/news	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-15654	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/306.html	Trust: 0.1
url:	https://github.com/live-hack-cve/cve-2019-15654	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2020-22257 // VULMON: CVE-2019-15654 // JVNDB: JVNDB-2019-015141 // CNNVD: CNNVD-202003-1192 // NVD: CVE-2019-15654

SOURCES

db:	CNVD	id:	CNVD-2020-22257
db:	VULMON	id:	CVE-2019-15654
db:	JVNDB	id:	JVNDB-2019-015141
db:	CNNVD	id:	CNNVD-202003-1192
db:	NVD	id:	CVE-2019-15654

LAST UPDATE DATE

2024-11-23T22:41:09.471000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-22257	date:	2020-04-10T00:00:00
db:	VULMON	id:	CVE-2019-15654	date:	2023-02-03T00:00:00
db:	JVNDB	id:	JVNDB-2019-015141	date:	2020-04-07T00:00:00
db:	CNNVD	id:	CNNVD-202003-1192	date:	2023-02-06T00:00:00
db:	NVD	id:	CVE-2019-15654	date:	2024-11-21T04:29:12.750

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-22257	date:	2020-04-10T00:00:00
db:	VULMON	id:	CVE-2019-15654	date:	2020-03-19T00:00:00
db:	JVNDB	id:	JVNDB-2019-015141	date:	2020-04-07T00:00:00
db:	CNNVD	id:	CNNVD-202003-1192	date:	2020-03-19T00:00:00
db:	NVD	id:	CVE-2019-15654	date:	2020-03-19T18:15:13.740