Details of VAR-202007-1331

ID

VAR-202007-1331

CVE

CVE-2020-5758

TITLE

Grandstream UCM6200 In series firmware OS Command injection vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2020-008266

DESCRIPTION

Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated remote attacker can execute commands as the root user by sending a crafted HTTP GET to the UCM's "Old" HTTPS API. (DoS) It may be put into a state. Grandstream UCM6200 is a set of enterprise-level switches used for IP telephone communications from Grandstream

Trust: 2.16

sources: NVD: CVE-2020-5758 // JVNDB: JVNDB-2020-008266 // CNVD: CNVD-2020-44352

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-44352

AFFECTED PRODUCTS

vendor:	grandstream	model:	ucm6208	scope:	lte	version:	1.0.20.23	Trust: 1.0
vendor:	grandstream	model:	ucm6202	scope:	lte	version:	1.0.20.23	Trust: 1.0
vendor:	grandstream	model:	ucm6204	scope:	lte	version:	1.0.20.23	Trust: 1.0
vendor:	grandstream	model:	ucm6202	scope:	eq	version:	1.0.20.23	Trust: 0.8
vendor:	grandstream	model:	ucm6204	scope:	eq	version:	1.0.20.23	Trust: 0.8
vendor:	grandstream	model:	ucm6208	scope:	eq	version:	1.0.20.23	Trust: 0.8
vendor:	grandstream	model:	ucm6200 series	scope:	lte	version:	<=1.0.20.23	Trust: 0.6

sources: CNVD: CNVD-2020-44352 // JVNDB: JVNDB-2020-008266 // NVD: CVE-2020-5758

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-5758
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2020-008266
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-44352
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202007-1289
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2020-5758
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-008266
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-44352
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-5758
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-008266
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-44352 // JVNDB: JVNDB-2020-008266 // CNNVD: CNNVD-202007-1289 // NVD: CVE-2020-5758

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.8

sources: JVNDB: JVNDB-2020-008266 // NVD: CVE-2020-5758

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202007-1289

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202007-1289

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-008266

PATCH

title:	UCM6200 series	url:	http://www.grandstream.com/products/ip-pbxs/ucm-series-ip-pbxs/product/ucm6200-series	Trust: 0.8
title:	Grandstream UCM6200 Fixes for operating system command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=124965	Trust: 0.6

sources: JVNDB: JVNDB-2020-008266 // CNNVD: CNNVD-202007-1289

EXTERNAL IDS

db:	NVD	id:	CVE-2020-5758	Trust: 3.0
db:	TENABLE	id:	TRA-2020-42	Trust: 1.6
db:	JVNDB	id:	JVNDB-2020-008266	Trust: 0.8
db:	CNVD	id:	CNVD-2020-44352	Trust: 0.6
db:	CNNVD	id:	CNNVD-202007-1289	Trust: 0.6

sources: CNVD: CNVD-2020-44352 // JVNDB: JVNDB-2020-008266 // CNNVD: CNNVD-202007-1289 // NVD: CVE-2020-5758

REFERENCES

url:	https://www.tenable.com/cve/cve-2020-5758	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2020-5758	Trust: 2.0
url:	https://www.tenable.com/security/research/tra-2020-42	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5758	Trust: 0.8

sources: CNVD: CNVD-2020-44352 // JVNDB: JVNDB-2020-008266 // CNNVD: CNNVD-202007-1289 // NVD: CVE-2020-5758

SOURCES

db:	CNVD	id:	CNVD-2020-44352
db:	JVNDB	id:	JVNDB-2020-008266
db:	CNNVD	id:	CNNVD-202007-1289
db:	NVD	id:	CVE-2020-5758

LAST UPDATE DATE

2024-11-23T22:11:25.853000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-44352	date:	2020-08-05T00:00:00
db:	JVNDB	id:	JVNDB-2020-008266	date:	2020-09-08T00:00:00
db:	CNNVD	id:	CNNVD-202007-1289	date:	2020-07-29T00:00:00
db:	NVD	id:	CVE-2020-5758	date:	2024-11-21T05:34:33.010

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-44352	date:	2020-08-05T00:00:00
db:	JVNDB	id:	JVNDB-2020-008266	date:	2020-09-08T00:00:00
db:	CNNVD	id:	CNNVD-202007-1289	date:	2020-07-17T00:00:00
db:	NVD	id:	CVE-2020-5758	date:	2020-07-17T21:15:13.810