CVE-2019-3425

The 9000EV5.0R1B12 version, and all earlier versions of ZTE product ZXUPN-9000E are impacted by vulnerability of permission and access control. An attacker could exploit this vulnerability to directly reset or change passwords of other accounts.

CVSS v3 8.8 HIGH
CVSS v2.0 7.5 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1011683	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:zte:zxupn-9000e_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:zxupn-9000e:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-11-08 19:15

Updated : 2023-12-10 13:13

NVD link : CVE-2019-3425

Mitre link : CVE-2019-3425

CVE.ORG link : CVE-2019-3425

JSON object : View

Products Affected

zte

zxupn-9000e_firmware
zxupn-9000e

CWE

CWE-732

Incorrect Permission Assignment for Critical Resource

{"id": "CVE-2019-3425", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2019-11-08T19:15:10.363", "references": [{"url": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1011683", "tags": ["Vendor Advisory"], "source": "psirt@zte.com.cn"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-732"}]}], "descriptions": [{"lang": "en", "value": "The 9000EV5.0R1B12 version, and all earlier versions of ZTE product ZXUPN-9000E are impacted by vulnerability of permission and access control. An attacker could exploit this vulnerability to directly reset or change passwords of other accounts."}, {"lang": "es", "value": "La versi\u00f3n 9000EV5.0R1B12 y todas las versiones anteriores del producto ZTE ZXUPN-9000E est\u00e1n impactadas por una vulnerabilidad de los permisos y el control de acceso. Un atacante podr\u00eda explotar esta vulnerabilidad para restablecer o cambiar directamente las contrase\u00f1as de otras cuentas."}], "lastModified": "2020-08-24T17:37:01.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zte:zxupn-9000e_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "53DBC77D-69B7-4857-91B8-F40632A42419", "versionEndExcluding": "9000ev5.0r1b12"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zte:zxupn-9000e:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "CB63DD6C-FBD6-4C12-8FD9-65178117C2FB"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "psirt@zte.com.cn"}