CVE-2019-5171

Exploit

EPSS 0.23%
Veröffentlicht 12.03.2020 00:15:18
Zuletzt bearbeitet 21.11.2024 04:44:29
Quelle talos-cna@cisco.com
CVE-Watchlists
Login
Unerledigt
Login

An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send specially crafted packet at 0x1ea48 to the extracted hostname value from the xml file that is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=enabled ip-address=<contents of ip node> using sprintf().

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wago ≫ Pfc200 Firmware Version03.02.02(14)

Wago ≫ Pfc200 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.23%	0.455

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.2	3.9	10	AV:L/AC:L/Au:N/C:C/I:C/A:C

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962

Third Party Advisory

Exploit

Technical Description

https://nvd.nist.gov/vuln/detail/CVE-2019-5171

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-5171

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-5171

EUVD