CVE-2020-24577 - OpenCVE

An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. The One Touch application discloses sensitive information, such as the hashed admin login password and the Internet provider connection username and cleartext password, in the application's response body for a /tmp/var/passwd or /tmp/home/wan_stat URI.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dlink	Dsl-2888a Dsl-2888a Firmware

Configuration 1 [-]

AND

cpe:2.3:h:dlink:dsl-2888a:-:*:*:*:*:*:*:*

cpe:2.3:o:dlink:dsl-2888a_firmware:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/d-link-multiple-security-vulnerabilities-leading-to-rce/
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=28241

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-01-08T06:45:09

Updated: 2024-08-04T15:19:09.311Z

Reserved: 2020-08-21T00:00:00

Link: CVE-2020-24577

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-01-08T07:15:11.810

Modified: 2021-04-23T17:37:34.743

Link: CVE-2020-24577

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. The One Touch application discloses sensitive information, such as the hashed admin login password and the Internet provider connection username and cleartext password, in the application's response body for a /tmp/var/passwd or /tmp/home/wan_stat URI."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-08T06:45:09", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/d-link-multiple-security-vulnerabilities-leading-to-rce/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=28241"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-24577", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. The One Touch application discloses sensitive information, such as the hashed admin login password and the Internet provider connection username and cleartext password, in the application's response body for a /tmp/var/passwd or /tmp/home/wan_stat URI."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/d-link-multiple-security-vulnerabilities-leading-to-rce/", "refsource": "MISC", "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/d-link-multiple-security-vulnerabilities-leading-to-rce/"}, {"name": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/", "refsource": "CONFIRM", "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/"}, {"name": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=28241", "refsource": "MISC", "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=28241"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:19:09.311Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/d-link-multiple-security-vulnerabilities-leading-to-rce/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=28241"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-24577", "datePublished": "2021-01-08T06:45:09", "dateReserved": "2020-08-21T00:00:00", "dateUpdated": "2024-08-04T15:19:09.311Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:dlink:dsl-2888a:-:*:*:*:*:*:*:*", "matchCriteriaId": "F108066A-37E9-4FFD-8C3A-A322313B0C81", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:dlink:dsl-2888a_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A6A88C7-5813-4D25-BA17-9CB44CC9DCB1", "versionEndExcluding": "au_2.31_v1.1.47ae55", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. The One Touch application discloses sensitive information, such as the hashed admin login password and the Internet provider connection username and cleartext password, in the application's response body for a /tmp/var/passwd or /tmp/home/wan_stat URI."}, {"lang": "es", "value": "Se detect\u00f3 un problema en los dispositivos D-Link DSL-2888A con versiones de firmware anteriores a AU_2.31_V1.1.47ae55. La aplicaci\u00f3n One Touch revela informaci\u00f3n confidencial, tal y como la contrase\u00f1a de inicio de sesi\u00f3n de administrador en el hash y el nombre de usuario de la conexi\u00f3n del proveedor de Internet y la contrase\u00f1a en texto sin cifrar, en el cuerpo de respuesta de la aplicaci\u00f3n para un URI /tmp/var/passwd o /tmp/home/wan_stat"}], "id": "CVE-2020-24577", "lastModified": "2021-04-23T17:37:34.743", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-08T07:15:11.810", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/d-link-multiple-security-vulnerabilities-leading-to-rce/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=28241"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}], "source": "nvd@nist.gov", "type": "Primary"}]}