CVE-2020-14097 - Vulnerability Details

Vendors	Products
Mi	Redmi Ax6 Redmi Ax6 Firmware

Link	Providers
https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=21&locale=en

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "Xiaomi router AX6", "vendor": "n/a", "versions": [{"status": "affected", "version": "ROM version < 1.0.18"}]}], "descriptions": [{"lang": "en", "value": "Wrong nginx configuration, causing specific paths to be downloaded without authorization. This affects Xiaomi router AX6 ROM version < 1.0.18."}], "problemTypes": [{"descriptions": [{"description": "Unauthorized download", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-13T22:27:49", "orgId": "b57733aa-7326-4f07-8e09-0be8e0df1909", "shortName": "Xiaomi"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=21&locale=en"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@xiaomi.com", "ID": "CVE-2020-14097", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Xiaomi router AX6", "version": {"version_data": [{"version_value": "ROM version < 1.0.18"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Wrong nginx configuration, causing specific paths to be downloaded without authorization. This affects Xiaomi router AX6 ROM version < 1.0.18."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Unauthorized download"}]}]}, "references": {"reference_data": [{"name": "https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=21&locale=en", "refsource": "MISC", "url": "https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=21&locale=en"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:39:35.712Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=21&locale=en"}]}]}, "cveMetadata": {"assignerOrgId": "b57733aa-7326-4f07-8e09-0be8e0df1909", "assignerShortName": "Xiaomi", "cveId": "CVE-2020-14097", "datePublished": "2021-01-13T22:27:49", "dateReserved": "2020-06-15T00:00:00", "dateUpdated": "2024-08-04T12:39:35.712Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : Xiaomi router AX6 (string)

vendor : n/a (string)

versions : [ »

0 : { »

status : affected (string)

version : ROM version < 1.0.18 (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Wrong nginx configuration, causing specific paths to be downloaded without authorization. This affects Xiaomi router AX6 ROM version < 1.0.18. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : Unauthorized download (string)

lang : en (string)

type : text (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2021-01-13T22:27:49 (string)

orgId : b57733aa-7326-4f07-8e09-0be8e0df1909 (string)

shortName : Xiaomi (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=21&locale=en (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : security@xiaomi.com (string)

ID : CVE-2020-14097 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : Xiaomi router AX6 (string)

version : { »

version_data : [ »

0 : { »

version_value : ROM version < 1.0.18 (string)

}

]

}

]

}

vendor_name : n/a (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : Wrong nginx configuration, causing specific paths to be downloaded without authorization. This affects Xiaomi router AX6 ROM version < 1.0.18. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : Unauthorized download (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=21&locale=en (string)

refsource : MISC (string)

url : https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=21&locale=en (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-04T12:39:35.712Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=21&locale=en (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : b57733aa-7326-4f07-8e09-0be8e0df1909 (string)

assignerShortName : Xiaomi (string)

cveId : CVE-2020-14097 (string)

datePublished : 2021-01-13T22:27:49 (string)

dateReserved : 2020-06-15T00:00:00 (string)

dateUpdated : 2024-08-04T12:39:35.712Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:mi:redmi_ax6_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "E8768E6A-2DD0-4E8A-BEE9-561E267B7146", "versionEndExcluding": "1.0.18", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mi:redmi_ax6:-:*:*:*:*:*:*:*", "matchCriteriaId": "903508E7-AAB2-4539-BDCF-2F9F7DBB9CB4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Wrong nginx configuration, causing specific paths to be downloaded without authorization. This affects Xiaomi router AX6 ROM version < 1.0.18."}, {"lang": "es", "value": "la configuraci\u00f3n de nginx en la ROM AX6 del enrutador Xiaomi. (CVE-2020-14097)\tUna configuraci\u00f3n de nginx incorrecta, causa que se descarguen rutas espec\u00edficas sin autorizaci\u00f3n.&#xa0;Esto afecta la versi\u00f3n de la ROM AX6 del enrutador Xiaomi versiones anteriores a 1.0.18."}], "id": "CVE-2020-14097", "lastModified": "2024-11-21T05:02:38.247", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-13T23:15:13.070", "references": [{"source": "security@xiaomi.com", "tags": ["Vendor Advisory"], "url": "https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=21&locale=en"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=21&locale=en"}], "sourceIdentifier": "security@xiaomi.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:o:mi:redmi_ax6_firmware:*:*:*:*:*:*:*:* (string)

matchCriteriaId : E8768E6A-2DD0-4E8A-BEE9-561E267B7146 (string)

versionEndExcluding : 1.0.18 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

1 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:h:mi:redmi_ax6:-:*:*:*:*:*:*:* (string)

matchCriteriaId : 903508E7-AAB2-4539-BDCF-2F9F7DBB9CB4 (string)

vulnerable : false (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

operator : AND (string)

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Wrong nginx configuration, causing specific paths to be downloaded without authorization. This affects Xiaomi router AX6 ROM version < 1.0.18. (string)

}

1 : { »

lang : es (string)

value : la configuración de nginx en la ROM AX6 del enrutador Xiaomi. (CVE-2020-14097) Una configuración de nginx incorrecta, causa que se descarguen rutas específicas sin autorización. Esto afecta la versión de la ROM AX6 del enrutador Xiaomi versiones anteriores a 1.0.18. (string)

}

]

id : CVE-2020-14097 (string)

lastModified : 2024-11-21T05:02:38.247 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : NONE (string)

baseScore : 5 (number)

confidentialityImpact : NONE (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:L/Au:N/C:N/I:P/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 10 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 7.5 (number)

baseSeverity : HIGH (string)

confidentialityImpact : NONE (string)

integrityImpact : HIGH (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 3.9 (number)

impactScore : 3.6 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2021-01-13T23:15:13.070 (string)

references : [ »

0 : { »

source : security@xiaomi.com (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=21&locale=en (string)

}

1 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=21&locale=en (string)

}

]

sourceIdentifier : security@xiaomi.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : NVD-CWE-noinfo (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object