CVE-2019-20676

Certain NETGEAR devices are affected by lack of access control at the function level. This affects FS728TLP before 1.0.1.26, GS105Ev2 before 1.6.0.4, GS105PE before 1.6.0.4, GS108Ev3 before 2.06.08, GS108PEv3 before 2.06.08, GS110EMX before 1.0.1.4, GS116Ev2 before 2.6.0.35, GS408EPP before 1.0.0.15, GS724TPv2 before 1.1.1.29, GS808E before 1.7.0.7, GS810EMX before 1.7.1.1, GS908E before 1.7.0.3, GSS108E before 1.6.0.4, GSS108EPP before 1.0.0.15, GSS116E before 1.6.0.9, JGS516PE before 2.6.0.35, JGS524Ev2 before 2.6.0.35, JGS524PE before 2.6.0.35, XS512EM before 1.0.1.1, XS708Ev2 before 1.6.0.23, XS716E before 1.6.0.23, and XS724EM before 1.0.1.1.

CVSS v3.0 6.0 MEDIUM
CVSS v2.0 3.6 LOW

6.0^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.8 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

3.6^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:L/AC:L/Au:N/C:P/I:P/A:N

Exploitability : 3.9 / Impact : 4.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://kb.netgear.com/000061463/Security-Advisory-for-Missing-Function-Level-Access-Control-on-Some-Switches-PSV-2018-0542	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:netgear:fs728tlp_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:fs728tlp:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:netgear:gs105e_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:gs105e:v2:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:netgear:gs105pe_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:gs105pe:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:netgear:gs108e_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:gs108e:v3:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:netgear:gs108pe_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:gs108pe:v3:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:netgear:gs110emx_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:gs110emx:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:netgear:gs116e_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:gs116e:v2:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:netgear:gs408epp_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:gs408epp:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:netgear:gs724tp_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:gs724tp:v2:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:netgear:gs808e_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:gs808e:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

cpe:2.3:o:netgear:gs810emx_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:gs810emx:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND

cpe:2.3:o:netgear:gs908e_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:gs908e:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND

cpe:2.3:o:netgear:gss108e_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:gss108e:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND

cpe:2.3:o:netgear:gss108epp_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:gss108epp:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND

cpe:2.3:o:netgear:gss116e_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:gss116e:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND

cpe:2.3:o:netgear:jgs516pe_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:jgs516pe:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND

cpe:2.3:o:netgear:jgs524e_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:jgs524e:v2:*:*:*:*:*:*:*

Configuration 18 (hide)

AND

cpe:2.3:o:netgear:jgs524pe_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:jgs524pe:-:*:*:*:*:*:*:*

Configuration 19 (hide)

AND

cpe:2.3:o:netgear:xs512em_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:xs512em:-:*:*:*:*:*:*:*

Configuration 20 (hide)

AND

cpe:2.3:o:netgear:xs708e_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:xs708e:v2:*:*:*:*:*:*:*

Configuration 21 (hide)

AND

cpe:2.3:o:netgear:xs716e_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:xs716e:-:*:*:*:*:*:*:*

Configuration 22 (hide)

AND

cpe:2.3:o:netgear:xs724em_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:xs724em:-:*:*:*:*:*:*:*

Information

Published : 2020-04-15 13:15

Updated : 2020-04-23 07:00

NVD link : CVE-2019-20676

Mitre link : CVE-2019-20676

JSON object : View

CWE

CWE-862

Missing Authorization

Products Affected

netgear

gs105e
jgs524e
xs708e
xs724em
jgs516pe_firmware
xs716e
gs408epp_firmware
gs808e
gs116e
gss108e_firmware
xs724em_firmware
gs110emx_firmware
gs108e
gss116e
xs512em
fs728tlp_firmware
gss108epp
xs512em_firmware
xs716e_firmware
gs810emx_firmware
gs105pe
gs810emx
gs724tp_firmware
gs908e
gss116e_firmware
gs108pe_firmware
gs105e_firmware
gss108e
gs808e_firmware
jgs524pe
jgs524pe_firmware
gs108pe
jgs516pe
gs408epp
gs110emx
gs105pe_firmware
fs728tlp
gs724tp
jgs524e_firmware
gs108e_firmware
xs708e_firmware
gs908e_firmware
gss108epp_firmware
gs116e_firmware

6.0 /10

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

3.6 /10

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2019-20676

6.0^/10

3.6^/10

Attach tags to `CVE-2019-20676`