CVE-2019-16920

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2019-16920
Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected: DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

10.0 /10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References
Link Resource
https://fortiguard.com/zeroday/FG-VD-19-117 Broken Link Third Party Advisory
https://medium.com/%4080vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3 Exploit Third Party Advisory
https://www.kb.cert.org/vuls/id/766427 Third Party Advisory US Government Resource
https://www.seebug.org/vuldb/ssvid-98079 Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:dlink:dir-655_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-655:cx:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:dlink:dir-866l_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-866l:ax:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:dlink:dir-652_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-652:ax:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:dlink:dhp-1565_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dhp-1565:ax:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:dlink:dir-855l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-855l:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:dlink:dap-1533_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dap-1533:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:dlink:dir-862l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-862l:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:dlink:dir-615_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-615:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:dlink:dir-835_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-835:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:dlink:dir-825_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-825:-:*:*:*:*:*:*:*
History

16 Jul 2024, 17:54

Type Values Removed Values Added
First Time Dlink dir-862l Firmware
Dlink dir-615
Dlink dir-855l Firmware
Dlink dir-615 Firmware
Dlink dir-825 Firmware
Dlink dir-855l
Dlink dir-835 Firmware
Dlink dir-825
Dlink dap-1533
Dlink dap-1533 Firmware
Dlink dir-862l
Dlink dir-835
References () https://fortiguard.com/zeroday/FG-VD-19-117 - Third Party Advisory () https://fortiguard.com/zeroday/FG-VD-19-117 - Broken Link, Third Party Advisory
References () https://medium.com/%4080vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3 - () https://medium.com/%4080vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3 - Exploit, Third Party Advisory
References () https://www.kb.cert.org/vuls/id/766427 - () https://www.kb.cert.org/vuls/id/766427 - Third Party Advisory, US Government Resource
References () https://www.seebug.org/vuldb/ssvid-98079 - () https://www.seebug.org/vuldb/ssvid-98079 - Exploit, Third Party Advisory
CPE cpe:2.3:h:dlink:dir-825:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dir-825_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dir-615_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dir-835_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dap-1533:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-615:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-855l:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-862l:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dir-855l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dap-1533_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dir-862l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-835:-:*:*:*:*:*:*:*

07 Nov 2023, 03:06

Type Values Removed Values Added
References
  • {'url': 'https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3', 'name': 'https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3', 'tags': [], 'refsource': 'MISC'}
  • () https://medium.com/%4080vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3 -
Information

Published : 2019-09-27 12:15

Updated : 2024-07-16 17:54

NVD link : CVE-2019-16920

Mitre link : CVE-2019-16920

CVE.ORG link : CVE-2019-16920

JSON object : View

Products Affected

dlink

  • dir-615
  • dir-652_firmware
  • dhp-1565
  • dir-655
  • dir-862l_firmware
  • dir-866l
  • dir-825_firmware
  • dhp-1565_firmware
  • dir-615_firmware
  • dir-855l_firmware
  • dap-1533_firmware
  • dir-866l_firmware
  • dap-1533
  • dir-835
  • dir-655_firmware
  • dir-862l
  • dir-855l
  • dir-825
  • dir-835_firmware
  • dir-652
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')