Sign-up

ID

VAR-201902-0144


CVE

CVE-2019-7298


TITLE

D-Link DIR-823G In device firmware OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-001586

DESCRIPTION

An issue was discovered on D-Link DIR-823G devices with firmware through 1.02B03. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body, such as a body of ' /bin/telnetd' for the GetDeviceSettingsset API function. Consequently, an attacker can execute any command remotely when they control this input. D-Link DIR-823G Device firmware includes OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Multiple D-Link Products are prone to a command-injection vulnerability. Failed exploit attempts will likely result in denial-of-service conditions. D-Link DIR-823G is a wireless router made by Taiwan D-Link Company. There is an operating system command injection vulnerability in D-Link DIR-823G using version 1.02B03 firmware. The vulnerability comes from the fact that the network system or product does not correctly filter special characters, commands, etc. in the process of constructing executable commands of the operating system from external input data

Trust: 2.07

sources: NVD: CVE-2019-7298 // JVNDB: JVNDB-2019-001586 // BID: 106814 // VULHUB: VHN-158733 // VULMON: CVE-2019-7298

AFFECTED PRODUCTS

vendor:dlinkmodel:dir-823gscope:lteversion:1.02b03

Trust: 1.0

vendor:d linkmodel:dir-823gscope:lteversion:1.02b03

Trust: 0.8

vendor:d linkmodel:dir-823g 1.02b03scope: - version: -

Trust: 0.3

vendor:d linkmodel:dir-823g 1.02b01scope: - version: -

Trust: 0.3

vendor:d linkmodel:dir-823g 1.01b02scope: - version: -

Trust: 0.3

vendor:d linkmodel:dir-823g 1.00b02scope: - version: -

Trust: 0.3

sources: BID: 106814 // JVNDB: JVNDB-2019-001586 // NVD: CVE-2019-7298

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-7298
value: HIGH

Trust: 1.0

NVD: CVE-2019-7298
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201902-003
value: HIGH

Trust: 0.6

VULHUB: VHN-158733
value: HIGH

Trust: 0.1

VULMON: CVE-2019-7298
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-7298
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-158733
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-7298
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-158733 // VULMON: CVE-2019-7298 // JVNDB: JVNDB-2019-001586 // CNNVD: CNNVD-201902-003 // NVD: CVE-2019-7298

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.9

sources: VULHUB: VHN-158733 // JVNDB: JVNDB-2019-001586 // NVD: CVE-2019-7298

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201902-003

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201902-003

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-001586

PATCH
title:Top Pageurl:https://www.dlink.com/en/consumer
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2019-001586

EXTERNAL IDS
db:NVDid:CVE-2019-7298
Trust: 2.9
db:BIDid:106814
Trust: 2.1
db:JVNDBid:JVNDB-2019-001586
Trust: 0.8
db:CNNVDid:CNNVD-201902-003
Trust: 0.7
db:VULHUBid:VHN-158733
Trust: 0.1
db:VULMONid:CVE-2019-7298
Trust: 0.1
sources:
            
            
            VULHUB: VHN-158733 // 
            
            
            
            VULMON: CVE-2019-7298 // 
            
            
            
            BID: 106814 // 
            
            
            
            JVNDB: JVNDB-2019-001586 // 
            
            
            
            CNNVD: CNNVD-201902-003 // 
            
            
            
            NVD: CVE-2019-7298

REFERENCES
url:https://github.com/leonw7/d-link/blob/master/vul_2.md
Trust: 2.9
url:http://www.securityfocus.com/bid/106814
Trust: 2.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-7298
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-7298
Trust: 0.8
url:http://www.dlink.com/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/78.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULHUB: VHN-158733 // 
            
            
            
            VULMON: CVE-2019-7298 // 
            
            
            
            BID: 106814 // 
            
            
            
            JVNDB: JVNDB-2019-001586 // 
            
            
            
            CNNVD: CNNVD-201902-003 // 
            
            
            
            NVD: CVE-2019-7298

CREDITS
David Chen (360 Enterprise Security Group)
Trust: 0.9
sources:
            
            
            BID: 106814 // 
            
            
            
            CNNVD: CNNVD-201902-003

SOURCES
db:VULHUBid:VHN-158733
db:VULMONid:CVE-2019-7298
db:BIDid:106814
db:JVNDBid:JVNDB-2019-001586
db:CNNVDid:CNNVD-201902-003
db:NVDid:CVE-2019-7298

LAST UPDATE DATE
2024-11-23T23:11:55.783000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-158733date:2019-02-05T00:00:00
db:VULMONid:CVE-2019-7298date:2019-02-05T00:00:00
db:BIDid:106814date:2019-02-01T00:00:00
db:JVNDBid:JVNDB-2019-001586date:2019-03-15T00:00:00
db:CNNVDid:CNNVD-201902-003date:2019-04-01T00:00:00
db:NVDid:CVE-2019-7298date:2024-11-21T04:47:57.343

SOURCES RELEASE DATE
db:VULHUBid:VHN-158733date:2019-02-01T00:00:00
db:VULMONid:CVE-2019-7298date:2019-02-01T00:00:00
db:BIDid:106814date:2019-02-01T00:00:00
db:JVNDBid:JVNDB-2019-001586date:2019-03-15T00:00:00
db:CNNVDid:CNNVD-201902-003date:2019-02-01T00:00:00
db:NVDid:CVE-2019-7298date:2019-02-01T06:29:00.193