CVE-2020-14109

There is command injection in the meshd program in the routing system, resulting in command execution under administrator authority on Xiaomi router AX3600 with ROM version =< 1.1.12

CVSS v3 7.2 HIGH
CVSS v2.0 9.0 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability : 8.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=25&locale=zh	Broken Link

Configurations

Configuration 1 (hide)

AND

cpe:2.3:h:mi:ax3600:-:*:*:*:*:*:*:*

cpe:2.3:o:mi:ax3600_firmware:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-09-16 12:15

Updated : 2021-09-27 17:04

NVD link : CVE-2020-14109

Mitre link : CVE-2020-14109

CVE.ORG link : CVE-2020-14109

JSON object : View

Products Affected

mi

ax3600
ax3600_firmware

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

{"id": "CVE-2020-14109", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2021-09-16T12:15:07.087", "references": [{"url": "https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=25&locale=zh", "tags": ["Broken Link"], "source": "security@xiaomi.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-77"}]}], "descriptions": [{"lang": "en", "value": "There is command injection in the meshd program in the routing system, resulting in command execution under administrator authority on Xiaomi router AX3600 with ROM version =< 1.1.12"}, {"lang": "es", "value": "Se presenta una inyecci\u00f3n de comandos en el programa meshd en el sistema de enrutamiento, resultando en una ejecuci\u00f3n de comandos bajo la autoridad del administrador en Xiaomi router AX3600 con la versi\u00f3n de ROM anteriores a 1.1.12, incluy\u00e9ndola"}], "lastModified": "2021-09-27T17:04:52.530", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:mi:ax3600:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "FCDA6605-7C59-41C2-BA6E-65268D15FA21"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:mi:ax3600_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "96775913-9D30-49BB-AAE2-8418F5994AF3", "versionEndIncluding": "1.1.12"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security@xiaomi.com"}