CVE-2020-5757

Published: Jul 17, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated remote attacker can bypass command injection mitigations and execute commands as the root user by sending a crafted HTTP POST to the UCM's "New" HTTPS API.

Affected (3)

Products: Grandstream: Ucm6202 Firmware, Ucm6204 Firmware, Ucm6208 Firmware

3 products

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Grandstream Ucm6202 Firmware	Up to 1.0.20.23

Running on/with	Platform Versions
Grandstream Ucm6202	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Grandstream Ucm6204 Firmware	Up to 1.0.20.23

Running on/with	Platform Versions
Grandstream Ucm6204	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Grandstream Ucm6208 Firmware	Up to 1.0.20.23

Running on/with	Platform Versions
Grandstream Ucm6208	All versions

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (3)

https://www.tenable.com/security/research/tra-2020-42

Source: vulnreport@tenable.com

Not Applicable

https://www.tenable.com/cve/CVE-2020-5757

Source: nvd@nist.gov

Third Party Advisory

https://www.tenable.com/security/research/tra-2020-42

Source: af854a3a-2127-422b-91ae-364da2661108

Not Applicable

Timeline

No history available yet.