Details of VAR-202007-1332

ID

VAR-202007-1332

CVE

CVE-2020-5759

TITLE

Grandstream UCM6200 In series firmware OS Command injection vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2020-008267

DESCRIPTION

Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via SSH. An authenticated remote attacker can execute commands as the root user by issuing a specially crafted "unset" command. (DoS) It may be put into a state. Grandstream UCM6200 is a set of enterprise-level switches used for IP telephone communications from Grandstream

Trust: 2.16

sources: NVD: CVE-2020-5759 // JVNDB: JVNDB-2020-008267 // CNVD: CNVD-2020-44353

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-44353

AFFECTED PRODUCTS

vendor:	grandstream	model:	ucm6208	scope:	lte	version:	1.0.20.23	Trust: 1.0
vendor:	grandstream	model:	ucm6202	scope:	lte	version:	1.0.20.23	Trust: 1.0
vendor:	grandstream	model:	ucm6204	scope:	lte	version:	1.0.20.23	Trust: 1.0
vendor:	grandstream	model:	ucm6202	scope:	eq	version:	1.0.20.23	Trust: 0.8
vendor:	grandstream	model:	ucm6204	scope:	eq	version:	1.0.20.23	Trust: 0.8
vendor:	grandstream	model:	ucm6208	scope:	eq	version:	1.0.20.23	Trust: 0.8
vendor:	grandstream	model:	ucm6200 series	scope:	lte	version:	<=1.0.20.23	Trust: 0.6

sources: CNVD: CNVD-2020-44353 // JVNDB: JVNDB-2020-008267 // NVD: CVE-2020-5759

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-5759
value:	CRITICAL
Trust: 1.0
NVD:	JVNDB-2020-008267
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2020-44353
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202007-1290
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2020-5759
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-008267
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-44353
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-5759
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-008267
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-44353 // JVNDB: JVNDB-2020-008267 // CNNVD: CNNVD-202007-1290 // NVD: CVE-2020-5759

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.8

sources: JVNDB: JVNDB-2020-008267 // NVD: CVE-2020-5759

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202007-1290

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202007-1290

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-008267

PATCH

title:	UCM6200 series	url:	http://www.grandstream.com/products/ip-pbxs/ucm-series-ip-pbxs/product/ucm6200-series	Trust: 0.8
title:	Grandstream UCM6200 Fixes for operating system command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=124277	Trust: 0.6

sources: JVNDB: JVNDB-2020-008267 // CNNVD: CNNVD-202007-1290

EXTERNAL IDS

db:	NVD	id:	CVE-2020-5759	Trust: 3.0
db:	TENABLE	id:	TRA-2020-42	Trust: 1.6
db:	JVNDB	id:	JVNDB-2020-008267	Trust: 0.8
db:	CNVD	id:	CNVD-2020-44353	Trust: 0.6
db:	CNNVD	id:	CNNVD-202007-1290	Trust: 0.6

sources: CNVD: CNVD-2020-44353 // JVNDB: JVNDB-2020-008267 // CNNVD: CNNVD-202007-1290 // NVD: CVE-2020-5759

REFERENCES

url:	https://www.tenable.com/cve/cve-2020-5759	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2020-5759	Trust: 2.0
url:	https://www.tenable.com/security/research/tra-2020-42	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5759	Trust: 0.8

sources: CNVD: CNVD-2020-44353 // JVNDB: JVNDB-2020-008267 // CNNVD: CNNVD-202007-1290 // NVD: CVE-2020-5759

SOURCES

db:	CNVD	id:	CNVD-2020-44353
db:	JVNDB	id:	JVNDB-2020-008267
db:	CNNVD	id:	CNNVD-202007-1290
db:	NVD	id:	CVE-2020-5759

LAST UPDATE DATE

2024-11-23T22:11:25.900000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-44353	date:	2020-08-05T00:00:00
db:	JVNDB	id:	JVNDB-2020-008267	date:	2020-09-08T00:00:00
db:	CNNVD	id:	CNNVD-202007-1290	date:	2020-07-24T00:00:00
db:	NVD	id:	CVE-2020-5759	date:	2024-11-21T05:34:33.120

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-44353	date:	2020-08-05T00:00:00
db:	JVNDB	id:	JVNDB-2020-008267	date:	2020-09-08T00:00:00
db:	CNNVD	id:	CNNVD-202007-1290	date:	2020-07-17T00:00:00
db:	NVD	id:	CVE-2020-5759	date:	2020-07-17T21:15:13.937