CVE-2019-11061

{"id": "CVE-2019-11061", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.8, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.1, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "twcert@cert.org.tw", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}]}, "published": "2019-08-29T01:15:10.930", "references": [{"url": "http://surl.twcert.org.tw/5df6x", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}, {"url": "https://github.com/tim124058/ASUS-SmartHome-Exploit/", "tags": ["Exploit", "Third Party Advisory"], "source": "twcert@cert.org.tw"}, {"url": "https://tvn.twcert.org.tw/taiwanvn/TVN-201906003", "tags": ["Exploit", "Third Party Advisory"], "source": "twcert@cert.org.tw"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "A broken access control vulnerability in HG100 firmware versions up to 4.00.06 allows an attacker in the same local area network to control IoT devices that connect with itself via http://[target]/smarthome/devicecontrol without any authentication. CVSS 3.0 base score 10 (Confidentiality, Integrity and Availability impacts). CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)."}, {"lang": "es", "value": "Una vulnerabilidad de control de acceso interrumpida en las versiones de firmware HG100 hasta 4.00.06 permite que un atacante en la misma red de \u00e1rea local controle dispositivos IoT que se conectan a s\u00ed mismos mediante http://[target]/smarthome/devicecontrol without any authentication. CVSS 3.0 Puntuaci\u00f3n Base 10 (Impactos de Confidencialidad, Integridad y Disponibilidad). Vector CVSS: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)."}], "lastModified": "2020-08-24T17:37:01.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:asus:hg100_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5B3A41D7-B16C-4FA5-89A3-BF761FEF8444", "versionEndExcluding": "4.00.09"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:asus:hg100:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "DFEFB004-6477-408B-A114-8ABCA8AC8D19"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "twcert@cert.org.tw"}