7.8

CVE-2019-16889

Exploit
Ubiquiti EdgeMAX devices before 2.0.3 allow remote attackers to cause a denial of service (disk consumption) because *.cache files in /var/run/beaker/container_file/ are created when providing a valid length payload of 249 characters or fewer to the beaker.session.id cookie in a GET header. The attacker can use a long series of unique session IDs.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
UiEr-x Firmware Version < 2.0.3
   UiEr-x Version-
UiEr-x-sfp Firmware Version < 2.0.3
   UiEr-x-sfp Version-
UiEp-r6 Firmware Version < 2.0.3
   UiEp-r6 Version-
UiErlite-3 Firmware Version < 2.0.3
   UiErlite-3 Version-
UiErpoe-5 Firmware Version < 2.0.3
   UiErpoe-5 Version-
UiEr-8 Firmware Version < 2.0.3
   UiEr-8 Version-
UiErpro-8 Firmware Version < 2.0.3
   UiErpro-8 Version-
UiEp-r8 Firmware Version < 2.0.3
   UiEp-r8 Version-
UiEr-4 Firmware Version < 2.0.3
   UiEr-4 Version-
UiEr-6p Firmware Version < 2.0.3
   UiEr-6p Version-
UiEr-12 Firmware Version < 2.0.3
   UiEr-12 Version-
UiEr-8-xg Firmware Version < 2.0.3
   UiEr-8-xg Version-
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 5.09% 0.913
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov 7.8 10 6.9
AV:N/AC:L/Au:N/C:N/I:N/A:C
CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

https://community.ui.com/releases/New-EdgeRouter-firmware-2-0-3-has-been-released-2-0-3/e8badd28-a112-4269-9fb6-ffe3fc0e1643
Patch
Vendor Advisory
https://hackerone.com/reports/406614
Third Party Advisory
Exploit
Issue Tracking
https://mjlanders.com/2019/07/28/resource-consumption-dos-on-edgemax-v1-10-6/
Third Party Advisory
Exploit