Sign-up

ID

VAR-201911-0811


CVE

CVE-2019-5072


TITLE

Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-012519

DESCRIPTION

An exploitable command injection vulnerability exists in the /goform/WanParameterSetting functionality of Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route (AC9V1.0 Firmware V15.03.05.16multiTRU). A specially crafted HTTP POST request can cause a command injection in the DNS2 post parameters, resulting in code execution. An attacker can send HTTP POST request with command to trigger this vulnerability. Tenda AC9 is a wireless router from China's Tenda. The / goform / WanParameterSetting function in Tenda AC9 has an operating system command injection vulnerability. The vulnerability stems from the fact that the network system or product did not properly filter the special characters, commands, etc. during the process of constructing the executable command of the operating system by external input data

Trust: 2.16

sources: NVD: CVE-2019-5072 // JVNDB: JVNDB-2019-012519 // CNVD: CNVD-2020-02715

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-02715

AFFECTED PRODUCTS

vendor:tendacnmodel:ac9v1.0scope:eqversion:15.03.05.14_en

Trust: 1.0

vendor:tendacnmodel:ac9v1.0scope:eqversion:15.03.05.16multitru

Trust: 1.0

vendor:tendamodel:ac9v1.0scope:eqversion:15.03.05.16multitru

Trust: 0.8

vendor:tendamodel:ac9scope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2020-02715 // JVNDB: JVNDB-2019-012519 // NVD: CVE-2019-5072

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-5072
value: HIGH

Trust: 1.0

talos-cna@cisco.com: CVE-2019-5072
value: HIGH

Trust: 1.0

NVD: CVE-2019-5072
value: HIGH

Trust: 0.8

CNVD: CNVD-2020-02715
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201911-1257
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2019-5072
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2020-02715
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

talos-cna@cisco.com: CVE-2019-5072
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-5072
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: CNVD: CNVD-2020-02715 // JVNDB: JVNDB-2019-012519 // CNNVD: CNNVD-201911-1257 // NVD: CVE-2019-5072 // NVD: CVE-2019-5072

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.8

sources: JVNDB: JVNDB-2019-012519 // NVD: CVE-2019-5072

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201911-1257

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201911-1257

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-012519

PATCH
title:AC9 / Router / AC1200 Smart Dual-Band Gigabit WiFi Routerurl:https://tendacn.com/en/product/AC9.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2019-012519

EXTERNAL IDS
db:NVDid:CVE-2019-5072
Trust: 3.0
db:TALOSid:TALOS-2019-0861
Trust: 3.0
db:JVNDBid:JVNDB-2019-012519
Trust: 0.8
db:CNVDid:CNVD-2020-02715
Trust: 0.6
db:CNNVDid:CNNVD-201911-1257
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-02715 // 
            
            
            
            JVNDB: JVNDB-2019-012519 // 
            
            
            
            CNNVD: CNNVD-201911-1257 // 
            
            
            
            NVD: CVE-2019-5072

REFERENCES
url:https://talosintelligence.com/vulnerability_reports/talos-2019-0861
Trust: 2.4
url:https://nvd.nist.gov/vuln/detail/cve-2019-5072
Trust: 1.4
url:https://www.talosintelligence.com/vulnerability_reports/talos-2019-0861
Trust: 1.2
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-5072
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2020-02715 // 
            
            
            
            JVNDB: JVNDB-2019-012519 // 
            
            
            
            CNNVD: CNNVD-201911-1257 // 
            
            
            
            NVD: CVE-2019-5072

SOURCES
db:CNVDid:CNVD-2020-02715
db:JVNDBid:JVNDB-2019-012519
db:CNNVDid:CNNVD-201911-1257
db:NVDid:CVE-2019-5072

LAST UPDATE DATE
2024-11-23T21:59:38.384000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-02715date:2020-01-19T00:00:00
db:JVNDBid:JVNDB-2019-012519date:2019-12-04T00:00:00
db:CNNVDid:CNNVD-201911-1257date:2022-04-20T00:00:00
db:NVDid:CVE-2019-5072date:2024-11-21T04:44:17.803

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-02715date:2020-01-19T00:00:00
db:JVNDBid:JVNDB-2019-012519date:2019-12-04T00:00:00
db:CNNVDid:CNNVD-201911-1257date:2019-11-21T00:00:00
db:NVDid:CVE-2019-5072date:2019-11-21T17:15:12.147