CVE-2020-10974

Published: May 7, 2020Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An issue was discovered affecting a backup feature where a crafted POST request returns the current configuration of the device in cleartext, including the administrator password. No authentication is required. Affected devices: Wavlink WN575A3, Wavlink WN579G3, Wavlink WN531A6, Wavlink WN535G3, Wavlink WN530H4, Wavlink WN57X93, Wavlink WN572HG3, Wavlink WN575A4, Wavlink WN578A2, Wavlink WN579G3, Wavlink WN579X3, and Jetstream AC3000/ERAC3000

Affected (13)

Products: Wavlink: Wl Wn575a3 Firmware, Wl Wn579g3 Firmware, Wn531a6 Firmware, Wn535g3 Firmware, Wn530h4 Firmware, Wn57x93 Firmware, Wn572hg3 Firmware, Wn575a4 Firmware, Wn578a2 Firmware, Wn579g3 Firmware, Wn579x3 Firmware, Jetstream Ac3000 Firmware, Jetstream Erac3000 Firmware

13 products

Jetstream Ac3000 Firmware

Jetstream Erac3000 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Wavlink Wl Wn575a3 Firmware	Version rpt75a3.v4300.180801

Running on/with	Platform Versions
Wavlink Wl Wn575a3	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Wavlink Wl Wn579g3 Firmware	Version m79x3.v5030.180719

Running on/with	Platform Versions
Wavlink Wl Wn579g3	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Wavlink Wn531a6 Firmware	All versions

Running on/with	Platform Versions
Wavlink Wn531a6	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Wavlink Wn535g3 Firmware	All versions

Running on/with	Platform Versions
Wavlink Wn535g3	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Wavlink Wn530h4 Firmware	All versions

Running on/with	Platform Versions
Wavlink Wn530h4	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Wavlink Wn57x93 Firmware	All versions

Running on/with	Platform Versions
Wavlink Wn57x93	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Wavlink Wn572hg3 Firmware	All versions

Running on/with	Platform Versions
Wavlink Wn572hg3	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Wavlink Wn575a4 Firmware	All versions

Running on/with	Platform Versions
Wavlink Wn575a4	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Wavlink Wn578a2 Firmware	All versions

Running on/with	Platform Versions
Wavlink Wn578a2	All versions

Configuration J

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Wavlink Wn579g3 Firmware	All versions

Running on/with	Platform Versions
Wavlink Wn579g3	All versions

Configuration K

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Wavlink Wn579x3 Firmware	All versions

Running on/with	Platform Versions
Wavlink Wn579x3	All versions

Configuration L

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Wavlink Jetstream Ac3000 Firmware	All versions

Running on/with	Platform Versions
Wavlink Jetstream Ac3000	All versions

Configuration M

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Wavlink Jetstream Erac3000 Firmware	All versions

Running on/with	Platform Versions
Wavlink Jetstream Erac3000	All versions

Related CWEs

CWE-306

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References (8)

https://github.com/Roni-Carta/nyra

Source: cve@mitre.org

Not ApplicableThird Party Advisory

https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10974

Source: cve@mitre.org

Third Party Advisory

https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10974-affected_devices

Source: cve@mitre.org

Third Party Advisory

https://github.com/sudo-jtcsec/Nyra

Source: cve@mitre.org

Broken Link

https://github.com/Roni-Carta/nyra

Source: af854a3a-2127-422b-91ae-364da2661108

Not ApplicableThird Party Advisory

https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10974

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10974-affected_devices

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/sudo-jtcsec/Nyra

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

Timeline

No history available yet.