CVE-2020-7847

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2020-7847
The ipTIME NAS product allows an arbitrary file upload vulnerability in the Manage Bulletins/Upload feature, which can be leveraged to gain remote code execution. This issue affects: pTIME NAS 1.4.36.

8.0 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

5.2 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:A/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 5.1 / Impact : 6.4

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35921 Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:h:iptime:nas-i:-:*:*:*:*:*:*:*
cpe:2.3:o:iptime:nas-i_firmware:*:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:h:iptime:nas-ii:-:*:*:*:*:*:*:*
cpe:2.3:o:iptime:nas-ii_firmware:*:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:h:iptime:nas-iie:-:*:*:*:*:*:*:*
cpe:2.3:o:iptime:nas-iie_firmware:*:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:h:iptime:nas101:-:*:*:*:*:*:*:*
cpe:2.3:o:iptime:nas101_firmware:*:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:h:iptime:nas1dual:-:*:*:*:*:*:*:*
cpe:2.3:o:iptime:nas1dual_firmware:*:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:h:iptime:nas2dual:-:*:*:*:*:*:*:*
cpe:2.3:o:iptime:nas2dual_firmware:*:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:h:iptime:nas3:-:*:*:*:*:*:*:*
cpe:2.3:o:iptime:nas3_firmware:*:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:h:iptime:nas4:-:*:*:*:*:*:*:*
cpe:2.3:o:iptime:nas4_firmware:*:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:iptime:nas4dual_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:iptime:nas4dual:-:*:*:*:*:*:*:*
History

No history.

Information

Published : 2021-02-23 16:15

Updated : 2021-02-27 02:39

NVD link : CVE-2020-7847

Mitre link : CVE-2020-7847

CVE.ORG link : CVE-2020-7847

JSON object : View

Products Affected

iptime

  • nas101
  • nas2dual_firmware
  • nas3_firmware
  • nas-i
  • nas4dual_firmware
  • nas4dual
  • nas-ii_firmware
  • nas-ii
  • nas101_firmware
  • nas-iie
  • nas2dual
  • nas3
  • nas1dual
  • nas1dual_firmware
  • nas-iie_firmware
  • nas-i_firmware
  • nas4
  • nas4_firmware
CWE
CWE-434

Unrestricted Upload of File with Dangerous Type