CVE-2018-20220

{"id": "CVE-2018-20220", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2019-03-21T16:00:35.407", "references": [{"url": "http://packetstormsecurity.com/files/151802/Teracue-ENC-400-Command-Injection-Missing-Authentication.html", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "http://seclists.org/fulldisclosure/2019/Feb/48", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://zxsecurity.co.nz/research.html", "tags": ["Not Applicable"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. While the web interface requires authentication before it can be interacted with, a large portion of the HTTP endpoints are missing authentication. An attacker is able to view these pages before being authenticated, and some of these pages may disclose sensitive information."}, {"lang": "es", "value": "Se ha descubierto un problema en dispositivos Teracue ENC-400 con firmware en versiones 2.56 y anteriores. Aunque la interfaz web requiere autenticaci\u00f3n antes de que se pueda interactuar con ella, gran parte de los endpoints HTTP carecen de autenticaci\u00f3n. Un atacante es capaz de visualizar estas p\u00e1ginas antes de autenticarse; algunas de \u00e9stas podr\u00edan revelar informaci\u00f3n sensible."}], "lastModified": "2020-08-24T17:37:01.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:teracue:enc-400_hdmi_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3EE35BEF-ECAF-4664-8FE5-AB72A00EF06D", "versionEndIncluding": "2.56"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:teracue:enc-400_hdmi:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "13123CDF-3D5D-43F9-A4D4-E108423CCAD8"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:teracue:enc-400_hdmi2_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "615943FC-CE51-4DE5-AA4F-7FAF35DA97D0", "versionEndIncluding": "2.56"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:teracue:enc-400_hdmi2:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D86B2C0A-60B3-4964-9220-E69107BD3DEC"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:teracue:enc-400_hdsdi_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "39E93D58-6D19-44A9-A5B6-07CBF5C5F7AD", "versionEndIncluding": "2.56"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:teracue:enc-400_hdsdi:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F338471B-BA13-4ECC-B401-3B0D19D6F00F"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}