Details of VAR-202004-0914

ID

VAR-202004-0914

CVE

CVE-2019-20680

TITLE

plural NETGEAR Injection vulnerabilities in devices

Trust: 0.8

sources: JVNDB: JVNDB-2019-015470

DESCRIPTION

Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D7000v2 before 1.0.0.53, R6220 before 1.1.0.80, R6260 before 1.1.0.64, R6700 before 1.0.2.6, R6700v2 before 1.2.0.36, R6800 before 1.2.0.36, R6900 before 1.0.2.4, R6900P before 1.3.1.64, R6900v2 before 1.2.0.36, R7000 before 1.0.9.60, R7000P before 1.3.1.64, R7800 before 1.0.2.60, R7900 before 1.0.3.8, R7900P before 1.4.1.30, R8000 before 1.0.4.46, R8000P before 1.4.1.30, R8300 before 1.0.2.128, R8500 before 1.0.2.128, R8900 before 1.0.4.12, R9000 before 1.0.4.12, and XR500 before 2.3.2.32. plural NETGEAR A device contains an injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. NETGEAR XR500 and so on are all products of NETGEAR. NETGEAR XR500 is a wireless router. NETGEAR D7000 is a wireless modem. NETGEAR R6220 is a wireless router. The vulnerability stems from the process of constructing executable commands from external input data. The network system or product does not properly filter the special elements. The attacker can use this vulnerability to execute illegal commands

Trust: 2.16

sources: NVD: CVE-2019-20680 // JVNDB: JVNDB-2019-015470 // CNVD: CNVD-2020-24422

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-24422

AFFECTED PRODUCTS

vendor:	netgear	model:	r6220	scope:	lt	version:	1.1.0.80	Trust: 1.6
vendor:	netgear	model:	r6260	scope:	lt	version:	1.1.0.64	Trust: 1.6
vendor:	netgear	model:	r6800	scope:	lt	version:	1.2.0.36	Trust: 1.6
vendor:	netgear	model:	r6700	scope:	lt	version:	1.0.2.6	Trust: 1.6
vendor:	netgear	model:	r6900	scope:	lt	version:	1.0.2.4	Trust: 1.6
vendor:	netgear	model:	r6900p	scope:	lt	version:	1.3.1.64	Trust: 1.6
vendor:	netgear	model:	r7000	scope:	lt	version:	1.0.9.60	Trust: 1.6
vendor:	netgear	model:	r7000p	scope:	lt	version:	1.3.1.64	Trust: 1.6
vendor:	netgear	model:	r7800	scope:	lt	version:	1.0.2.60	Trust: 1.6
vendor:	netgear	model:	r7900	scope:	lt	version:	1.0.3.8	Trust: 1.6
vendor:	netgear	model:	r7900p	scope:	lt	version:	1.4.1.30	Trust: 1.6
vendor:	netgear	model:	r8000	scope:	lt	version:	1.0.4.46	Trust: 1.6
vendor:	netgear	model:	r8000p	scope:	lt	version:	1.4.1.30	Trust: 1.6
vendor:	netgear	model:	r8300	scope:	lt	version:	1.0.2.128	Trust: 1.6
vendor:	netgear	model:	r8500	scope:	lt	version:	1.0.2.128	Trust: 1.6
vendor:	netgear	model:	r8900	scope:	lt	version:	1.0.4.12	Trust: 1.6
vendor:	netgear	model:	r9000	scope:	lt	version:	1.0.4.12	Trust: 1.6
vendor:	netgear	model:	xr500	scope:	lt	version:	2.3.2.32	Trust: 1.6
vendor:	netgear	model:	d7000	scope:	lt	version:	1.0.0.53	Trust: 1.0
vendor:	netgear	model:	r6700	scope:	lt	version:	1.2.0.36	Trust: 1.0
vendor:	netgear	model:	r6900	scope:	lt	version:	1.2.0.36	Trust: 1.0
vendor:	netgear	model:	d7000	scope:	eq	version:	1.0.0.53	Trust: 0.8
vendor:	netgear	model:	r6220	scope:	eq	version:	1.1.0.80	Trust: 0.8
vendor:	netgear	model:	r6260	scope:	eq	version:	1.1.0.64	Trust: 0.8
vendor:	netgear	model:	r6700	scope:	eq	version:	1.0.2.6	Trust: 0.8
vendor:	netgear	model:	r6700	scope:	eq	version:	1.2.0.36	Trust: 0.8
vendor:	netgear	model:	r6800	scope:	eq	version:	1.2.0.36	Trust: 0.8
vendor:	netgear	model:	r6900	scope:	eq	version:	1.0.2.4	Trust: 0.8
vendor:	netgear	model:	r6900	scope:	eq	version:	1.2.0.36	Trust: 0.8
vendor:	netgear	model:	r6900p	scope:	eq	version:	1.3.1.64	Trust: 0.8
vendor:	netgear	model:	r7000	scope:	eq	version:	1.0.9.60	Trust: 0.8
vendor:	netgear	model:	r6700	scope:	lt	version:	21.2.0.36	Trust: 0.6
vendor:	netgear	model:	r6900	scope:	lt	version:	21.2.0.36	Trust: 0.6
vendor:	netgear	model:	d7000	scope:	lt	version:	21.0.0.53	Trust: 0.6

sources: CNVD: CNVD-2020-24422 // JVNDB: JVNDB-2019-015470 // NVD: CVE-2019-20680

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-20680
value:	HIGH
Trust: 1.0
cve@mitre.org:	CVE-2019-20680
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2019-015470
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-24422
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202004-1206
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2019-20680
severity:	MEDIUM
baseScore:	5.2
vectorString:	AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	5.1
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2019-015470
severity:	MEDIUM
baseScore:	5.2
vectorString:	AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector:	ADJACENT NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-24422
severity:	MEDIUM
baseScore:	5.2
vectorString:	AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	5.1
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-20680
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.1
impactScore:	5.9
version:	3.1
Trust: 1.0
cve@mitre.org:	CVE-2019-20680
baseSeverity:	HIGH
baseScore:	7.0
vectorString:	CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	LOW
exploitabilityScore:	1.5
impactScore:	5.5
version:	3.0
Trust: 1.0
NVD:	JVNDB-2019-015470
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-24422 // JVNDB: JVNDB-2019-015470 // CNNVD: CNNVD-202004-1206 // NVD: CVE-2019-20680 // NVD: CVE-2019-20680

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.0
problemtype:	CWE-74	Trust: 0.8

sources: JVNDB: JVNDB-2019-015470 // NVD: CVE-2019-20680

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-202004-1206

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-015470

PATCH

title:	Security Advisory for Post-Authentication Command Injection on Some Routers and Gateways, PSV-2018-0388	url:	https://kb.netgear.com/000061459/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-Routers-and-Gateways-PSV-2018-0388	Trust: 0.8
title:	Patch for Multiple NETGEAR product command injection vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/215157	Trust: 0.6
title:	Multiple NETGEAR Product Command Injection Vulnerability Fixes	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=116085	Trust: 0.6

sources: CNVD: CNVD-2020-24422 // JVNDB: JVNDB-2019-015470 // CNNVD: CNNVD-202004-1206

EXTERNAL IDS

db:	NVD	id:	CVE-2019-20680	Trust: 3.0
db:	JVNDB	id:	JVNDB-2019-015470	Trust: 0.8
db:	CNVD	id:	CNVD-2020-24422	Trust: 0.6
db:	CNNVD	id:	CNNVD-202004-1206	Trust: 0.6

sources: CNVD: CNVD-2020-24422 // JVNDB: JVNDB-2019-015470 // CNNVD: CNNVD-202004-1206 // NVD: CVE-2019-20680

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2019-20680	Trust: 2.0
url:	https://kb.netgear.com/000061459/security-advisory-for-post-authentication-command-injection-on-some-routers-and-gateways-psv-2018-0388	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-20680	Trust: 0.8

sources: CNVD: CNVD-2020-24422 // JVNDB: JVNDB-2019-015470 // CNNVD: CNNVD-202004-1206 // NVD: CVE-2019-20680

SOURCES

db:	CNVD	id:	CNVD-2020-24422
db:	JVNDB	id:	JVNDB-2019-015470
db:	CNNVD	id:	CNNVD-202004-1206
db:	NVD	id:	CVE-2019-20680

LAST UPDATE DATE

2024-11-23T22:11:31.043000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-24422	date:	2020-04-24T00:00:00
db:	JVNDB	id:	JVNDB-2019-015470	date:	2020-05-21T00:00:00
db:	CNNVD	id:	CNNVD-202004-1206	date:	2020-04-21T00:00:00
db:	NVD	id:	CVE-2019-20680	date:	2024-11-21T04:39:03.817

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-24422	date:	2020-04-24T00:00:00
db:	JVNDB	id:	JVNDB-2019-015470	date:	2020-05-21T00:00:00
db:	CNNVD	id:	CNNVD-202004-1206	date:	2020-04-15T00:00:00
db:	NVD	id:	CVE-2019-20680	date:	2020-04-15T20:15:14.583