Details of VAR-202103-0193

ID

VAR-202103-0193

CVE

CVE-2020-25217

TITLE

Grandstream GRP261x VoIP phone Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-016408

DESCRIPTION

Grandstream GRP261x VoIP phone running firmware version 1.0.3.6 (Base) allows Command Injection as root in its administrative web interface. Grandstream GRP261x VoIP phone is an IP phone of American Grandstream company. Carrier-grade IP phones designed for large-scale deployment. No detailed vulnerability details are currently provided

Trust: 2.25

sources: NVD: CVE-2020-25217 // JVNDB: JVNDB-2020-016408 // CNVD: CNVD-2021-31663 // VULMON: CVE-2020-25217

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-31663

AFFECTED PRODUCTS

vendor:	grandstream	model:	grp2615	scope:	eq	version:	1.0.3.6	Trust: 1.0
vendor:	grandstream	model:	grp2612	scope:	eq	version:	1.0.3.6	Trust: 1.0
vendor:	grandstream	model:	grp2616	scope:	eq	version:	1.0.3.6	Trust: 1.0
vendor:	grandstream	model:	grp2614	scope:	eq	version:	1.0.3.6	Trust: 1.0
vendor:	grandstream	model:	grp2612w	scope:	eq	version:	1.0.3.6	Trust: 1.0
vendor:	grandstream	model:	grp2612p	scope:	eq	version:	1.0.3.6	Trust: 1.0
vendor:	grandstream	model:	grp2613	scope:	eq	version:	1.0.3.6	Trust: 1.0
vendor:	grandstream	model:	grp2612	scope:	-	version:	-	Trust: 0.8
vendor:	grandstream	model:	grp2612w	scope:	-	version:	-	Trust: 0.8
vendor:	grandstream	model:	grp2615	scope:	-	version:	-	Trust: 0.8
vendor:	grandstream	model:	grp2613	scope:	-	version:	-	Trust: 0.8
vendor:	grandstream	model:	grp2614	scope:	-	version:	-	Trust: 0.8
vendor:	grandstream	model:	grp2612p	scope:	-	version:	-	Trust: 0.8
vendor:	grandstream	model:	grp2616	scope:	-	version:	-	Trust: 0.8
vendor:	grandstream	model:	grp261x voip phone running	scope:	eq	version:	1.0.3.6	Trust: 0.6

sources: CNVD: CNVD-2021-31663 // JVNDB: JVNDB-2020-016408 // NVD: CVE-2020-25217

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-25217
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-25217
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2021-31663
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202103-1612
value:	HIGH
Trust: 0.6
VULMON:	CVE-2020-25217
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2020-25217
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2021-31663
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-25217
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2020-25217
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-31663 // VULMON: CVE-2020-25217 // JVNDB: JVNDB-2020-016408 // CNNVD: CNNVD-202103-1612 // NVD: CVE-2020-25217

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.0
problemtype:	Command injection (CWE-77) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-016408 // NVD: CVE-2020-25217

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202103-1612

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-202103-1612

PATCH

title:	Important Firmware News (HD IP Phones)	url:	http://grandstream.com/support/firmware	Trust: 0.8
title:	Patch for Grandstream GRP261x VoIP phone running firmware command injection vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/261846	Trust: 0.6
title:	Grandstream GRP261x VoIP phone Fixes for command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=146037	Trust: 0.6

sources: CNVD: CNVD-2021-31663 // JVNDB: JVNDB-2020-016408 // CNNVD: CNNVD-202103-1612

EXTERNAL IDS

db:	NVD	id:	CVE-2020-25217	Trust: 3.1
db:	JVNDB	id:	JVNDB-2020-016408	Trust: 0.8
db:	CNVD	id:	CNVD-2021-31663	Trust: 0.6
db:	CNNVD	id:	CNNVD-202103-1612	Trust: 0.6
db:	VULMON	id:	CVE-2020-25217	Trust: 0.1

sources: CNVD: CNVD-2021-31663 // VULMON: CVE-2020-25217 // JVNDB: JVNDB-2020-016408 // CNNVD: CNNVD-202103-1612 // NVD: CVE-2020-25217

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2020-25217	Trust: 2.0
url:	https://cwe.mitre.org/data/definitions/77.html	Trust: 1.7
url:	https://github.com/fireeye/vulnerability-disclosures/blob/master/feye-2021-0001/feye-2021-0001.md	Trust: 1.7
url:	https://github.com/fireeye/vulnerability-disclosures/blob/master/feye-2021-0002/feye-2021-0002.md	Trust: 0.8
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2021-31663 // VULMON: CVE-2020-25217 // JVNDB: JVNDB-2020-016408 // CNNVD: CNNVD-202103-1612 // NVD: CVE-2020-25217

SOURCES

db:	CNVD	id:	CNVD-2021-31663
db:	VULMON	id:	CVE-2020-25217
db:	JVNDB	id:	JVNDB-2020-016408
db:	CNNVD	id:	CNNVD-202103-1612
db:	NVD	id:	CVE-2020-25217

LAST UPDATE DATE

2024-11-23T22:57:59.051000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-31663	date:	2021-04-28T00:00:00
db:	VULMON	id:	CVE-2020-25217	date:	2021-03-31T00:00:00
db:	JVNDB	id:	JVNDB-2020-016408	date:	2021-12-01T08:40:00
db:	CNNVD	id:	CNNVD-202103-1612	date:	2022-07-11T00:00:00
db:	NVD	id:	CVE-2020-25217	date:	2024-11-21T05:17:41.013

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-31663	date:	2021-04-28T00:00:00
db:	VULMON	id:	CVE-2020-25217	date:	2021-03-29T00:00:00
db:	JVNDB	id:	JVNDB-2020-016408	date:	2021-12-01T00:00:00
db:	CNNVD	id:	CNNVD-202103-1612	date:	2021-03-29T00:00:00
db:	NVD	id:	CVE-2020-25217	date:	2021-03-29T17:15:14.927