Details of VAR-201907-0540

ID

VAR-201907-0540

CVE

CVE-2019-13153

TITLE

TRENDnet TEW-827DRU Firmware command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-005881

DESCRIPTION

An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11. There is a command injection in apply.cgi (exploitable with authentication) via the Private Port in Add Virtual Server. TRENDnet TEW-827DRU The firmware contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TRENDnet TEW-827DRU is a wireless router from TRENDnet. A command injection vulnerability exists in the apply.cgi file in the TRENDnet TEW-827DRU with firmware prior to 2.05B11. The vulnerability stems from the fact that external input data constructs executable commands, and the network system or product does not properly filter the special elements. An attacker could exploit the vulnerability to execute an illegal command

Trust: 2.25

sources: NVD: CVE-2019-13153 // JVNDB: JVNDB-2019-005881 // CNVD: CNVD-2019-21270 // VULMON: CVE-2019-13153

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-21270

AFFECTED PRODUCTS

vendor:	trendnet	model:	tew-827dru	scope:	lt	version:	2.05b11	Trust: 1.8
vendor:	trendnet	model:	tew-827dru <2.05b11	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2019-21270 // JVNDB: JVNDB-2019-005881 // NVD: CVE-2019-13153

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-13153
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-13153
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-21270
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201907-135
value:	HIGH
Trust: 0.6
VULMON:	CVE-2019-13153
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-13153
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2019-21270
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-13153
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-21270 // VULMON: CVE-2019-13153 // JVNDB: JVNDB-2019-005881 // CNNVD: CNNVD-201907-135 // NVD: CVE-2019-13153

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	CWE-77	Trust: 0.8

sources: JVNDB: JVNDB-2019-005881 // NVD: CVE-2019-13153

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201907-135

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201907-135

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-005881

PATCH

title:	Top Page	url:	https://www.trendnet.com/home	Trust: 0.8
title:	Patch for TRENDnet TEW-827DRU Command Injection Vulnerability (CNVD-2019-21270)	url:	https://www.cnvd.org.cn/patchInfo/show/166899	Trust: 0.6
title:	TRENDnet TEW-827DRU Fixes for command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=94334	Trust: 0.6

sources: CNVD: CNVD-2019-21270 // JVNDB: JVNDB-2019-005881 // CNNVD: CNNVD-201907-135

EXTERNAL IDS

db:	NVD	id:	CVE-2019-13153	Trust: 3.1
db:	JVNDB	id:	JVNDB-2019-005881	Trust: 0.8
db:	CNVD	id:	CNVD-2019-21270	Trust: 0.6
db:	CNNVD	id:	CNNVD-201907-135	Trust: 0.6
db:	VULMON	id:	CVE-2019-13153	Trust: 0.1

sources: CNVD: CNVD-2019-21270 // VULMON: CVE-2019-13153 // JVNDB: JVNDB-2019-005881 // CNNVD: CNNVD-201907-135 // NVD: CVE-2019-13153

REFERENCES

url:	https://github.com/teamseri0us/pocs/blob/master/iot/trendnet/cmdinject45.jpg	Trust: 3.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-13153	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-13153	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/78.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2019-21270 // VULMON: CVE-2019-13153 // JVNDB: JVNDB-2019-005881 // CNNVD: CNNVD-201907-135 // NVD: CVE-2019-13153

SOURCES

db:	CNVD	id:	CNVD-2019-21270
db:	VULMON	id:	CVE-2019-13153
db:	JVNDB	id:	JVNDB-2019-005881
db:	CNNVD	id:	CNNVD-201907-135
db:	NVD	id:	CVE-2019-13153

LAST UPDATE DATE

2024-11-23T22:51:43.496000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-21270	date:	2019-07-04T00:00:00
db:	VULMON	id:	CVE-2019-13153	date:	2020-08-24T00:00:00
db:	JVNDB	id:	JVNDB-2019-005881	date:	2019-07-03T00:00:00
db:	CNNVD	id:	CNNVD-201907-135	date:	2020-10-28T00:00:00
db:	NVD	id:	CVE-2019-13153	date:	2024-11-21T04:24:18.937

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-21270	date:	2019-07-04T00:00:00
db:	VULMON	id:	CVE-2019-13153	date:	2019-07-02T00:00:00
db:	JVNDB	id:	JVNDB-2019-005881	date:	2019-07-03T00:00:00
db:	CNNVD	id:	CNNVD-201907-135	date:	2019-07-02T00:00:00
db:	NVD	id:	CVE-2019-13153	date:	2019-07-02T13:15:12.540