Sign-up

ID

VAR-202004-0769


CVE

CVE-2019-20707


TITLE

NETGEAR R7800 and XR500 operating system command injection vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-27262 // CNNVD: CNNVD-202004-1291

DESCRIPTION

Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R7800 before 1.0.2.60 and XR500 before 2.3.2.32. NETGEAR R7800 and XR500 On the device OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. NETGEAR XR500 and NETGEAR R7800 are both wireless routers of NETGEAR. The vulnerability stems from the process of constructing operating system executable commands from external input data. The network system or product does not properly filter special characters, Commands, etc. Attackers can use this vulnerability to execute illegal operating system commands

Trust: 2.16

sources: NVD: CVE-2019-20707 // JVNDB: JVNDB-2019-015335 // CNVD: CNVD-2020-27262

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-27262

AFFECTED PRODUCTS

vendor:netgearmodel:r7800scope:ltversion:1.0.2.60

Trust: 1.6

vendor:netgearmodel:xr500scope:ltversion:2.3.2.32

Trust: 1.6

vendor:netgearmodel:r7800scope:eqversion:1.0.2.60

Trust: 0.8

vendor:netgearmodel:xr500scope:eqversion:2.3.2.32

Trust: 0.8

sources: CNVD: CNVD-2020-27262 // JVNDB: JVNDB-2019-015335 // NVD: CVE-2019-20707

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-20707
value: HIGH

Trust: 1.0

cve@mitre.org: CVE-2019-20707
value: HIGH

Trust: 1.0

NVD: JVNDB-2019-015335
value: HIGH

Trust: 0.8

CNVD: CNVD-2020-27262
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202004-1291
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2019-20707
severity: MEDIUM
baseScore: 5.2
vectorString: AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.1
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2019-015335
severity: MEDIUM
baseScore: 5.2
vectorString: AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector: ADJACENT NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-27262
severity: MEDIUM
baseScore: 5.2
vectorString: AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.1
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-20707
baseSeverity: HIGH
baseScore: 8.0
vectorString: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.1
impactScore: 5.9
version: 3.1

Trust: 1.0

cve@mitre.org: CVE-2019-20707
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.0

NVD: JVNDB-2019-015335
baseSeverity: HIGH
baseScore: 8.0
vectorString: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-27262 // JVNDB: JVNDB-2019-015335 // CNNVD: CNNVD-202004-1291 // NVD: CVE-2019-20707 // NVD: CVE-2019-20707

PROBLEMTYPE DATA

problemtype:CWE-77

Trust: 1.0

problemtype:CWE-78

Trust: 0.8

sources: JVNDB: JVNDB-2019-015335 // NVD: CVE-2019-20707

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202004-1291

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202004-1291

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-015335

PATCH
title:Security Advisory for Post-Authentication Command Injection on R7800 and XR500, PSV-2018-0353url:https://kb.netgear.com/000061222/Security-Advisory-for-Post-Authentication-Command-Injection-on-R7800-and-XR500-PSV-2018-0353
Trust: 0.8
title:Patch for NETGEAR R7800 and XR500 operating system command injection vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/216901
Trust: 0.6
title:NETGEAR R7800  and XR500 Fixes for operating system command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=116561
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-27262 // 
            
            
            
            JVNDB: JVNDB-2019-015335 // 
            
            
            
            CNNVD: CNNVD-202004-1291

EXTERNAL IDS
db:NVDid:CVE-2019-20707
Trust: 3.0
db:JVNDBid:JVNDB-2019-015335
Trust: 0.8
db:CNVDid:CNVD-2020-27262
Trust: 0.6
db:CNNVDid:CNNVD-202004-1291
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-27262 // 
            
            
            
            JVNDB: JVNDB-2019-015335 // 
            
            
            
            CNNVD: CNNVD-202004-1291 // 
            
            
            
            NVD: CVE-2019-20707

REFERENCES
url:https://nvd.nist.gov/vuln/detail/cve-2019-20707
Trust: 2.0
url:https://kb.netgear.com/000061222/security-advisory-for-post-authentication-command-injection-on-r7800-and-xr500-psv-2018-0353
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-20707
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2020-27262 // 
            
            
            
            JVNDB: JVNDB-2019-015335 // 
            
            
            
            CNNVD: CNNVD-202004-1291 // 
            
            
            
            NVD: CVE-2019-20707

CREDITS
Mongo
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-202004-1291

SOURCES
db:CNVDid:CNVD-2020-27262
db:JVNDBid:JVNDB-2019-015335
db:CNNVDid:CNNVD-202004-1291
db:NVDid:CVE-2019-20707

LAST UPDATE DATE
2024-11-23T22:55:11.077000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-27262date:2020-05-09T00:00:00
db:JVNDBid:JVNDB-2019-015335date:2020-05-12T00:00:00
db:CNNVDid:CNNVD-202004-1291date:2020-04-26T00:00:00
db:NVDid:CVE-2019-20707date:2024-11-21T04:39:08.023

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-27262date:2020-05-09T00:00:00
db:JVNDBid:JVNDB-2019-015335date:2020-05-12T00:00:00
db:CNNVDid:CNNVD-202004-1291date:2020-04-16T00:00:00
db:NVDid:CVE-2019-20707date:2020-04-16T19:15:24.353