Lucene search

MitreCVE-2019-16889

HistorySep 25, 2019 - 8:15 p.m.

CVE-2019-16889

2019-09-2520:15:11

CWE-770

mitre

web.nvd.nist.gov

ubiquiti edgemax

cve-2019-16889

denial of service

disk consumption

beaker.session.id

nvd

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.5

Confidence

High

EPSS

0.007

Percentile

81.2%

JSON

Ubiquiti EdgeMAX devices before 2.0.3 allow remote attackers to cause a denial of service (disk consumption) because *.cache files in /var/run/beaker/container_file/ are created when providing a valid length payload of 249 characters or fewer to the beaker.session.id cookie in a GET header. The attacker can use a long series of unique session IDs.

Affected configurations

Nvd

Node

uier-x_firmwareRange<2.0.3

AND

uier-xMatch-

Node

uier-x-sfp_firmwareRange<2.0.3

AND

uier-x-sfpMatch-

Node

uiep-r6_firmwareRange<2.0.3

AND

uiep-r6Match-

Node

uierlite-3_firmwareRange<2.0.3

AND

uierlite-3Match-

Node

uierpoe-5Match-

AND

uierpoe-5_firmwareRange<2.0.3

Node

uier-8Match-

AND

uier-8_firmwareRange<2.0.3

Node

uierpro-8Match-

AND

uierpro-8_firmwareRange<2.0.3

Node

uiep-r8Match-

AND

uiep-r8_firmwareRange<2.0.3

Node

uier-4Match-

AND

uier-4_firmwareRange<2.0.3

Node

uier-6pMatch-

AND

uier-6p_firmwareRange<2.0.3

Node

uier-12Match-

AND

uier-12_firmwareRange<2.0.3

Node

uier-8-xgMatch-

AND

uier-8-xg_firmwareRange<2.0.3

VendorProductVersionCPE
uier-x_firmware*cpe:2.3:o:ui:er-x_firmware:*:*:*:*:*:*:*:*
uier-x-cpe:2.3:h:ui:er-x:-:*:*:*:*:*:*:*
uier-x-sfp_firmware*cpe:2.3:o:ui:er-x-sfp_firmware:*:*:*:*:*:*:*:*
uier-x-sfp-cpe:2.3:h:ui:er-x-sfp:-:*:*:*:*:*:*:*
uiep-r6_firmware*cpe:2.3:o:ui:ep-r6_firmware:*:*:*:*:*:*:*:*
uiep-r6-cpe:2.3:h:ui:ep-r6:-:*:*:*:*:*:*:*
uierlite-3_firmware*cpe:2.3:o:ui:erlite-3_firmware:*:*:*:*:*:*:*:*
uierlite-3-cpe:2.3:h:ui:erlite-3:-:*:*:*:*:*:*:*
uierpoe-5-cpe:2.3:h:ui:erpoe-5:-:*:*:*:*:*:*:*
uierpoe-5_firmware*cpe:2.3:o:ui:erpoe-5_firmware:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ui	er-x_firmware	*	cpe:2.3:o:ui:er-x_firmware::::::::
ui	er-x	-	cpe:2.3:h:ui:er-x:-:::::::*
ui	er-x-sfp_firmware	*	cpe:2.3:o:ui:er-x-sfp_firmware::::::::
ui	er-x-sfp	-	cpe:2.3:h:ui:er-x-sfp:-:::::::*
ui	ep-r6_firmware	*	cpe:2.3:o:ui:ep-r6_firmware::::::::
ui	ep-r6	-	cpe:2.3:h:ui:ep-r6:-:::::::*
ui	erlite-3_firmware	*	cpe:2.3:o:ui:erlite-3_firmware::::::::
ui	erlite-3	-	cpe:2.3:h:ui:erlite-3:-:::::::*
ui	erpoe-5	-	cpe:2.3:h:ui:erpoe-5:-:::::::*
ui	erpoe-5_firmware	*	cpe:2.3:o:ui:erpoe-5_firmware::::::::

Rows per page:

1-10 of 241

References

community.ui.com/releases/New-EdgeRouter-firmware-2-0-3-has-been-released-2-0-3/e8badd28-a112-4269-9fb6-ffe3fc0e1643

hackerone.com/reports/406614

mjlanders.com/2019/07/28/resource-consumption-dos-on-edgemax-v1-10-6/

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.5

Confidence

High

EPSS

0.007

Percentile

81.2%

JSON

Related for CVE-2019-16889