Sign-up

ID

VAR-201904-0335


CVE

CVE-2019-3943


TITLE

MikroTik RouterOS Path traversal vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2019-003365 // CNNVD: CNNVD-201904-536

DESCRIPTION

MikroTik RouterOS versions Stable 6.43.12 and below, Long-term 6.42.12 and below, and Testing 6.44beta75 and below are vulnerable to an authenticated, remote directory traversal via the HTTP or Winbox interfaces. An authenticated, remote attack can use this vulnerability to read and write files outside of the sandbox directory (/rw/disk). MikroTik RouterOS Contains a path traversal vulnerability.Information may be obtained and information may be altered. MikroTik RouterOS is a Linux-based router operating system developed by Latvian MikroTik Company. The system can be deployed in a PC so that it provides router functionality. The vulnerability stems from a network system or product that fails to properly filter resources or special elements in file paths. An attacker could exploit this vulnerability to access locations outside of restricted directories

Trust: 1.8

sources: NVD: CVE-2019-3943 // JVNDB: JVNDB-2019-003365 // VULHUB: VHN-155378 // VULMON: CVE-2019-3943

AFFECTED PRODUCTS

vendor:mikrotikmodel:routerosscope:eqversion:6.43

Trust: 1.0

vendor:mikrotikmodel:routerosscope:eqversion:6.42

Trust: 1.0

vendor:mikrotikmodel:routerosscope:lteversion:6.43.12

Trust: 1.0

vendor:mikrotikmodel:routerosscope:eqversion:6.41

Trust: 1.0

vendor:mikrotikmodel:routerosscope:eqversion:6.44

Trust: 1.0

vendor:mikrotikmodel:routerosscope:lteversion:6.42.12

Trust: 1.0

vendor:mikrotikmodel:routerosscope:lteversion:long-term 6.42.12

Trust: 0.8

vendor:mikrotikmodel:routerosscope:lteversion:stable 6.43.12

Trust: 0.8

vendor:mikrotikmodel:routerosscope:lteversion:testing 6.44beta75

Trust: 0.8

sources: JVNDB: JVNDB-2019-003365 // NVD: CVE-2019-3943

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-3943
value: HIGH

Trust: 1.0

NVD: CVE-2019-3943
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201904-536
value: HIGH

Trust: 0.6

VULHUB: VHN-155378
value: HIGH

Trust: 0.1

VULMON: CVE-2019-3943
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-3943
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:S/C:C/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 7.8
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-155378
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:S/C:C/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 7.8
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-3943
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 5.2
version: 3.1

Trust: 1.0

NVD: CVE-2019-3943
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-155378 // VULMON: CVE-2019-3943 // JVNDB: JVNDB-2019-003365 // CNNVD: CNNVD-201904-536 // NVD: CVE-2019-3943

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.9

problemtype:CWE-23

Trust: 1.0

sources: VULHUB: VHN-155378 // JVNDB: JVNDB-2019-003365 // NVD: CVE-2019-3943

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-536

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201904-536

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-003365

PATCH
title:RouterOSurl:https://mikrotik.com/software
Trust: 0.8
title:MikroTik RouterOS Repair measures for path traversal vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91351
Trust: 0.6
title: - url:https://github.com/NozomiNetworks/pywinbox 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2019-3943 // 
            
            
            
            JVNDB: JVNDB-2019-003365 // 
            
            
            
            CNNVD: CNNVD-201904-536

EXTERNAL IDS
db:NVDid:CVE-2019-3943
Trust: 2.6
db:TENABLEid:TRA-2019-16
Trust: 2.6
db:JVNDBid:JVNDB-2019-003365
Trust: 0.8
db:CNNVDid:CNNVD-201904-536
Trust: 0.7
db:VULHUBid:VHN-155378
Trust: 0.1
db:PACKETSTORMid:155036
Trust: 0.1
db:VULMONid:CVE-2019-3943
Trust: 0.1
sources:
            
            
            VULHUB: VHN-155378 // 
            
            
            
            VULMON: CVE-2019-3943 // 
            
            
            
            JVNDB: JVNDB-2019-003365 // 
            
            
            
            CNNVD: CNNVD-201904-536 // 
            
            
            
            NVD: CVE-2019-3943

REFERENCES
url:https://www.tenable.com/security/research/tra-2019-16
Trust: 2.6
url:https://nvd.nist.gov/vuln/detail/cve-2019-3943
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3943
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/22.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://github.com/nozominetworks/pywinbox
Trust: 0.1
url:https://packetstormsecurity.com/files/155036/mikrotik-routeros-6.45.6-dns-cache-poisoning.html
Trust: 0.1
sources:
            
            
            VULHUB: VHN-155378 // 
            
            
            
            VULMON: CVE-2019-3943 // 
            
            
            
            JVNDB: JVNDB-2019-003365 // 
            
            
            
            CNNVD: CNNVD-201904-536 // 
            
            
            
            NVD: CVE-2019-3943

SOURCES
db:VULHUBid:VHN-155378
db:VULMONid:CVE-2019-3943
db:JVNDBid:JVNDB-2019-003365
db:CNNVDid:CNNVD-201904-536
db:NVDid:CVE-2019-3943

LAST UPDATE DATE
2024-11-23T21:51:53.194000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-155378date:2019-12-17T00:00:00
db:VULMONid:CVE-2019-3943date:2019-12-17T00:00:00
db:JVNDBid:JVNDB-2019-003365date:2019-05-15T00:00:00
db:CNNVDid:CNNVD-201904-536date:2019-04-12T00:00:00
db:NVDid:CVE-2019-3943date:2024-11-21T04:42:54.907

SOURCES RELEASE DATE
db:VULHUBid:VHN-155378date:2019-04-10T00:00:00
db:VULMONid:CVE-2019-3943date:2019-04-10T00:00:00
db:JVNDBid:JVNDB-2019-003365date:2019-05-15T00:00:00
db:CNNVDid:CNNVD-201904-536date:2019-04-10T00:00:00
db:NVDid:CVE-2019-3943date:2019-04-10T21:29:01.823