An issue was discovered affecting a backup feature where a crafted POST request returns the current configuration of the device in cleartext, including the administrator password. No authentication is required. Affected devices: Wavlink WN575A3, Wavlink WN579G3, Wavlink WN531A6, Wavlink WN535G3, Wavlink WN530H4, Wavlink WN57X93, Wavlink WN572HG3, Wavlink WN575A4, Wavlink WN578A2, Wavlink WN579G3, Wavlink WN579X3, and Jetstream AC3000/ERAC3000

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Wavlink
  • Jetstream Ac3000
  • Jetstream Ac3000 Firmware
  • Jetstream Erac3000
  • Jetstream Erac3000 Firmware
  • Wl-wn575a3
  • Wl-wn575a3 Firmware
  • Wl-wn579g3
  • Wl-wn579g3 Firmware
  • Wn530h4
  • Wn530h4 Firmware
  • Wn531a6
  • Wn531a6 Firmware
  • Wn535g3
  • Wn535g3 Firmware
  • Wn572hg3
  • Wn572hg3 Firmware
  • Wn575a4
  • Wn575a4 Firmware
  • Wn578a2
  • Wn578a2 Firmware
  • Wn579g3
  • Wn579g3 Firmware
  • Wn579x3
  • Wn579x3 Firmware
  • Wn57x93
  • Wn57x93 Firmware

Configuration 1 [-]

AND
cpe:2.3:o:wavlink:wl-wn575a3_firmware:rpt75a3.v4300.180801:*:*:*:*:*:*:*
cpe:2.3:h:wavlink:wl-wn575a3:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND
cpe:2.3:o:wavlink:wl-wn579g3_firmware:m79x3.v5030.180719:*:*:*:*:*:*:*
cpe:2.3:h:wavlink:wl-wn579g3:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND
cpe:2.3:o:wavlink:wn531a6_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:wavlink:wn531a6:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND
cpe:2.3:o:wavlink:wn535g3_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:wavlink:wn535g3:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND
cpe:2.3:o:wavlink:wn530h4_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:wavlink:wn530h4:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND
cpe:2.3:o:wavlink:wn57x93_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:wavlink:wn57x93:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND
cpe:2.3:o:wavlink:wn572hg3_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:wavlink:wn572hg3:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND
cpe:2.3:o:wavlink:wn575a4_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:wavlink:wn575a4:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND
cpe:2.3:o:wavlink:wn578a2_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:wavlink:wn578a2:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND
cpe:2.3:o:wavlink:wn579g3_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:wavlink:wn579g3:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND
cpe:2.3:o:wavlink:wn579x3_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:wavlink:wn579x3:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND
cpe:2.3:o:wavlink:jetstream_ac3000_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:wavlink:jetstream_ac3000:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND
cpe:2.3:o:wavlink:jetstream_erac3000_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:wavlink:jetstream_erac3000:-:*:*:*:*:*:*:*

No data.

References
Link Providers
https://github.com/Roni-Carta/nyra cve-icon cve-icon
https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10974 cve-icon cve-icon
https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10974-affected_devices cve-icon cve-icon
https://github.com/sudo-jtcsec/Nyra cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-05-07T17:42:57

Updated: 2024-08-04T11:21:14.401Z

Reserved: 2020-03-26T00:00:00

Link: CVE-2020-10974

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-05-07T18:15:11.333

Modified: 2024-11-21T04:56:29.563

Link: CVE-2020-10974

cve-icon Redhat

No data.