ID

VAR-201904-1090


CVE

CVE-2019-10631


TITLE

Zyxel NAS 326 Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-003300

DESCRIPTION

Shell Metacharacter Injection in the package installer on Zyxel NAS 326 version 5.21 and below allows an authenticated attacker to execute arbitrary code via multiple different requests. Zyxel NAS 326 Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ZyxelNAS326 is a dual-disc personal cloud storage device from Zyxel. A shell meta-injection vulnerability exists in the package installer in ZyxelNAS3265.21 and earlier. ZyXEL NAS 326 is a NAS (Network Attached Storage) device produced by ZyXEL Corporation of Taiwan, China. The vulnerability comes from the fact that the network system or product does not properly filter special elements in the process of constructing executable commands from external input data

Trust: 2.25

sources: NVD: CVE-2019-10631 // JVNDB: JVNDB-2019-003300 // CNVD: CNVD-2019-13780 // VULHUB: VHN-142197

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-13780

AFFECTED PRODUCTS

vendor:zyxelmodel:nas326scope:lteversion:5.21

Trust: 1.0

vendor:zyxelmodel:nas 326scope:lteversion:5.21

Trust: 0.8

vendor:zyxelmodel:nasscope:eqversion:326<=5.21

Trust: 0.6

sources: CNVD: CNVD-2019-13780 // JVNDB: JVNDB-2019-003300 // NVD: CVE-2019-10631

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-10631
value: HIGH

Trust: 1.0

NVD: CVE-2019-10631
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-13780
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201904-500
value: HIGH

Trust: 0.6

VULHUB: VHN-142197
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-10631
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-13780
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-142197
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-10631
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2019-13780 // VULHUB: VHN-142197 // JVNDB: JVNDB-2019-003300 // CNNVD: CNNVD-201904-500 // NVD: CVE-2019-10631

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.1

problemtype:CWE-77

Trust: 0.9

sources: VULHUB: VHN-142197 // JVNDB: JVNDB-2019-003300 // NVD: CVE-2019-10631

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-500

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201904-500

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-003300

PATCH

title:NAS326url:https://www.zyxel.com/products_services/2-Bay-Personal-Cloud-Storage-NAS326/

Trust: 0.8

sources: JVNDB: JVNDB-2019-003300

EXTERNAL IDS

db:NVDid:CVE-2019-10631

Trust: 3.1

db:JVNDBid:JVNDB-2019-003300

Trust: 0.8

db:CNNVDid:CNNVD-201904-500

Trust: 0.7

db:CNVDid:CNVD-2019-13780

Trust: 0.6

db:VULHUBid:VHN-142197

Trust: 0.1

sources: CNVD: CNVD-2019-13780 // VULHUB: VHN-142197 // JVNDB: JVNDB-2019-003300 // CNNVD: CNNVD-201904-500 // NVD: CVE-2019-10631

REFERENCES

url:http://maxwelldulin.com/blogpost?post=3236967424

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2019-10631

Trust: 2.0

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10631

Trust: 0.8

sources: CNVD: CNVD-2019-13780 // VULHUB: VHN-142197 // JVNDB: JVNDB-2019-003300 // CNNVD: CNNVD-201904-500 // NVD: CVE-2019-10631

SOURCES

db:CNVDid:CNVD-2019-13780
db:VULHUBid:VHN-142197
db:JVNDBid:JVNDB-2019-003300
db:CNNVDid:CNNVD-201904-500
db:NVDid:CVE-2019-10631

LAST UPDATE DATE

2024-11-23T22:41:30.904000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2019-13780date:2019-06-19T00:00:00
db:VULHUBid:VHN-142197date:2020-08-24T00:00:00
db:JVNDBid:JVNDB-2019-003300date:2019-05-14T00:00:00
db:CNNVDid:CNNVD-201904-500date:2020-10-28T00:00:00
db:NVDid:CVE-2019-10631date:2024-11-21T04:19:37.770

SOURCES RELEASE DATE

db:CNVDid:CNVD-2019-13780date:2019-05-13T00:00:00
db:VULHUBid:VHN-142197date:2019-04-09T00:00:00
db:JVNDBid:JVNDB-2019-003300date:2019-05-14T00:00:00
db:CNNVDid:CNNVD-201904-500date:2019-04-09T00:00:00
db:NVDid:CVE-2019-10631date:2019-04-09T05:29:00.293