Sign-up

ID

VAR-202004-0768


CVE

CVE-2019-20706


TITLE

NETGEAR R7800 and XR500 On the device OS Command injection vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2019-015334

DESCRIPTION

Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R7800 before 1.0.2.60 and XR500 before 2.3.2.32. NETGEAR R7800 and XR500 On the device OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. NETGEAR XR500 and NETGEAR R7800 are both wireless routers of NETGEAR. The vulnerability stems from the process of constructing operating system executable commands from external input data. The network system or product does not properly filter special characters, Commands, etc. Attackers can use this vulnerability to execute illegal operating system commands

Trust: 2.16

sources: NVD: CVE-2019-20706 // JVNDB: JVNDB-2019-015334 // CNVD: CNVD-2020-27261

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-27261

AFFECTED PRODUCTS

vendor:netgearmodel:r7800scope:ltversion:1.0.2.60

Trust: 1.6

vendor:netgearmodel:xr500scope:ltversion:2.3.2.32

Trust: 1.6

vendor:netgearmodel:r7800scope:eqversion:1.0.2.60

Trust: 0.8

vendor:netgearmodel:xr500scope:eqversion:2.3.2.32

Trust: 0.8

sources: CNVD: CNVD-2020-27261 // JVNDB: JVNDB-2019-015334 // NVD: CVE-2019-20706

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-20706
value: HIGH

Trust: 1.0

cve@mitre.org: CVE-2019-20706
value: HIGH

Trust: 1.0

NVD: JVNDB-2019-015334
value: HIGH

Trust: 0.8

CNVD: CNVD-2020-27261
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202004-1290
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2019-20706
severity: MEDIUM
baseScore: 5.2
vectorString: AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.1
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2019-015334
severity: MEDIUM
baseScore: 5.2
vectorString: AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector: ADJACENT NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-27261
severity: MEDIUM
baseScore: 5.2
vectorString: AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.1
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-20706
baseSeverity: HIGH
baseScore: 8.0
vectorString: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.1
impactScore: 5.9
version: 3.1

Trust: 1.0

cve@mitre.org: CVE-2019-20706
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.0

NVD: JVNDB-2019-015334
baseSeverity: HIGH
baseScore: 8.0
vectorString: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-27261 // JVNDB: JVNDB-2019-015334 // CNNVD: CNNVD-202004-1290 // NVD: CVE-2019-20706 // NVD: CVE-2019-20706

PROBLEMTYPE DATA

problemtype:CWE-77

Trust: 1.0

problemtype:CWE-78

Trust: 0.8

sources: JVNDB: JVNDB-2019-015334 // NVD: CVE-2019-20706

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202004-1290

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202004-1290

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-015334

PATCH
title:Security Advisory for Post-Authentication Command Injection on R7800 and XR500, PSV-2018-0354url:https://kb.netgear.com/000061223/Security-Advisory-for-Post-Authentication-Command-Injection-on-R7800-and-XR500-PSV-2018-0354
Trust: 0.8
title:Patch for NETGEAR R7800 and XR500 operating system command injection vulnerability (CNVD-2020-27261)url:https://www.cnvd.org.cn/patchInfo/show/216903
Trust: 0.6
title:NETGEAR R7800  and XR500 Fixes for operating system command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=116560
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-27261 // 
            
            
            
            JVNDB: JVNDB-2019-015334 // 
            
            
            
            CNNVD: CNNVD-202004-1290

EXTERNAL IDS
db:NVDid:CVE-2019-20706
Trust: 3.0
db:JVNDBid:JVNDB-2019-015334
Trust: 0.8
db:CNVDid:CNVD-2020-27261
Trust: 0.6
db:CNNVDid:CNNVD-202004-1290
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-27261 // 
            
            
            
            JVNDB: JVNDB-2019-015334 // 
            
            
            
            CNNVD: CNNVD-202004-1290 // 
            
            
            
            NVD: CVE-2019-20706

REFERENCES
url:https://nvd.nist.gov/vuln/detail/cve-2019-20706
Trust: 2.0
url:https://kb.netgear.com/000061223/security-advisory-for-post-authentication-command-injection-on-r7800-and-xr500-psv-2018-0354
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-20706
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2020-27261 // 
            
            
            
            JVNDB: JVNDB-2019-015334 // 
            
            
            
            CNNVD: CNNVD-202004-1290 // 
            
            
            
            NVD: CVE-2019-20706

CREDITS
Mongo
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-202004-1290

SOURCES
db:CNVDid:CNVD-2020-27261
db:JVNDBid:JVNDB-2019-015334
db:CNNVDid:CNNVD-202004-1290
db:NVDid:CVE-2019-20706

LAST UPDATE DATE
2024-11-23T21:51:35.205000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-27261date:2020-05-09T00:00:00
db:JVNDBid:JVNDB-2019-015334date:2020-05-12T00:00:00
db:CNNVDid:CNNVD-202004-1290date:2020-04-26T00:00:00
db:NVDid:CVE-2019-20706date:2024-11-21T04:39:07.883

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-27261date:2020-05-09T00:00:00
db:JVNDBid:JVNDB-2019-015334date:2020-05-12T00:00:00
db:CNNVDid:CNNVD-202004-1290date:2020-04-16T00:00:00
db:NVDid:CVE-2019-20706date:2020-04-16T19:15:24.307