Details of VAR-201904-1092

ID

VAR-201904-1092

CVE

CVE-2019-10633

TITLE

Zyxel NAS 326 Code injection vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2019-003315 // CNNVD: CNNVD-201904-495

DESCRIPTION

An eval injection vulnerability in the Python web server routing on the Zyxel NAS 326 version 5.21 and below allows a remote authenticated attacker to execute arbitrary code via the tjp6jp6y4, simZysh, and ck6fup6 APIs. Zyxel NAS 326 Contains a code injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ZyxelNAS326 is a dual-disc personal cloud storage device from Zyxel. Remote authentication attackers can exploit this vulnerability to execute arbitrary code through tjp6jp6y4, simZysh, and ck6fup6API. ZyXEL NAS 326 is a NAS (Network Attached Storage) device produced by ZyXEL Corporation of Taiwan, China. This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing code segments from external input data

Trust: 2.25

sources: NVD: CVE-2019-10633 // JVNDB: JVNDB-2019-003315 // CNVD: CNVD-2019-13782 // VULHUB: VHN-142199

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-13782

AFFECTED PRODUCTS

vendor:	zyxel	model:	nas326	scope:	lte	version:	5.21	Trust: 1.0
vendor:	zyxel	model:	nas 326	scope:	lte	version:	5.21	Trust: 0.8
vendor:	zyxel	model:	nas	scope:	eq	version:	326<=5.21	Trust: 0.6

sources: CNVD: CNVD-2019-13782 // JVNDB: JVNDB-2019-003315 // NVD: CVE-2019-10633

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-10633
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-10633
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-13782
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201904-495
value:	HIGH
Trust: 0.6
VULHUB:	VHN-142199
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-10633
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-13782
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-142199
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-10633
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-13782 // VULHUB: VHN-142199 // JVNDB: JVNDB-2019-003315 // CNNVD: CNNVD-201904-495 // NVD: CVE-2019-10633

PROBLEMTYPE DATA

problemtype:

CWE-94

Trust: 1.9

sources: VULHUB: VHN-142199 // JVNDB: JVNDB-2019-003315 // NVD: CVE-2019-10633

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-495

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201904-495

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-003315

PATCH

title:

NAS326

url:

https://www.zyxel.com/products_services/2-Bay-Personal-Cloud-Storage-NAS326/

Trust: 0.8

sources: JVNDB: JVNDB-2019-003315

EXTERNAL IDS

db:	NVD	id:	CVE-2019-10633	Trust: 3.1
db:	JVNDB	id:	JVNDB-2019-003315	Trust: 0.8
db:	CNNVD	id:	CNNVD-201904-495	Trust: 0.7
db:	CNVD	id:	CNVD-2019-13782	Trust: 0.6
db:	VULHUB	id:	VHN-142199	Trust: 0.1

sources: CNVD: CNVD-2019-13782 // VULHUB: VHN-142199 // JVNDB: JVNDB-2019-003315 // CNNVD: CNNVD-201904-495 // NVD: CVE-2019-10633

REFERENCES

url:	http://maxwelldulin.com/blogpost?post=3236967424	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-10633	Trust: 2.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10633	Trust: 0.8

sources: CNVD: CNVD-2019-13782 // VULHUB: VHN-142199 // JVNDB: JVNDB-2019-003315 // CNNVD: CNNVD-201904-495 // NVD: CVE-2019-10633

SOURCES

db:	CNVD	id:	CNVD-2019-13782
db:	VULHUB	id:	VHN-142199
db:	JVNDB	id:	JVNDB-2019-003315
db:	CNNVD	id:	CNNVD-201904-495
db:	NVD	id:	CVE-2019-10633

LAST UPDATE DATE

2024-11-23T21:52:20.020000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-13782	date:	2019-06-19T00:00:00
db:	VULHUB	id:	VHN-142199	date:	2019-04-10T00:00:00
db:	JVNDB	id:	JVNDB-2019-003315	date:	2019-05-14T00:00:00
db:	CNNVD	id:	CNNVD-201904-495	date:	2019-04-17T00:00:00
db:	NVD	id:	CVE-2019-10633	date:	2024-11-21T04:19:38.027

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-13782	date:	2019-05-13T00:00:00
db:	VULHUB	id:	VHN-142199	date:	2019-04-09T00:00:00
db:	JVNDB	id:	JVNDB-2019-003315	date:	2019-05-14T00:00:00
db:	CNNVD	id:	CNNVD-201904-495	date:	2019-04-09T00:00:00
db:	NVD	id:	CVE-2019-10633	date:	2019-04-09T05:29:00.387