Lucene search

MitreCVE-2020-35783

HistoryDec 30, 2020 - 12:15 a.m.

CVE-2020-35783

2020-12-3000:15:13

mitre

web.nvd.nist.gov

cve-2020-35783

netgear

access control

nsdp protocol

remote attackers

security vulnerability

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

46.0%

JSON

Certain NETGEAR devices are affected by lack of access control at the function level. This affects JGS516PE before 2.6.0.48, GS116Ev2 before 2.6.0.48, JGS524Ev2 before 2.6.0.48, and JGS524PE before 2.6.0.48. The NSDP protocol version allows unauthenticated remote attackers to obtain all the switch configuration parameters by sending the corresponding read requests.

Affected configurations

Nvd

Node

netgearjgs516peMatch-

AND

netgearjgs516pe_firmwareRange<2.6.0.48

Node

netgearjgs524eMatchv2

AND

netgearjgs524e_firmwareRange<2.6.0.48

Node

netgearjgs524peMatch-

AND

netgearjgs524pe_firmwareRange<2.6.0.48

Node

netgeargs116eMatchv2

AND

netgeargs116e_firmwareRange<2.6.0.48

VendorProductVersionCPE
netgearjgs516pe-cpe:2.3:h:netgear:jgs516pe:-:*:*:*:*:*:*:*
netgearjgs516pe_firmware*cpe:2.3:o:netgear:jgs516pe_firmware:*:*:*:*:*:*:*:*
netgearjgs524ev2cpe:2.3:h:netgear:jgs524e:v2:*:*:*:*:*:*:*
netgearjgs524e_firmware*cpe:2.3:o:netgear:jgs524e_firmware:*:*:*:*:*:*:*:*
netgearjgs524pe-cpe:2.3:h:netgear:jgs524pe:-:*:*:*:*:*:*:*
netgearjgs524pe_firmware*cpe:2.3:o:netgear:jgs524pe_firmware:*:*:*:*:*:*:*:*
netgeargs116ev2cpe:2.3:h:netgear:gs116e:v2:*:*:*:*:*:*:*
netgeargs116e_firmware*cpe:2.3:o:netgear:gs116e_firmware:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
netgear	jgs516pe	-	cpe:2.3:h:netgear:jgs516pe:-:::::::*
netgear	jgs516pe_firmware	*	cpe:2.3:o:netgear:jgs516pe_firmware::::::::
netgear	jgs524e	v2	cpe:2.3:h:netgear:jgs524e:v2:::::::*
netgear	jgs524e_firmware	*	cpe:2.3:o:netgear:jgs524e_firmware::::::::
netgear	jgs524pe	-	cpe:2.3:h:netgear:jgs524pe:-:::::::*
netgear	jgs524pe_firmware	*	cpe:2.3:o:netgear:jgs524pe_firmware::::::::
netgear	gs116e	v2	cpe:2.3:h:netgear:gs116e:v2:::::::*
netgear	gs116e_firmware	*	cpe:2.3:o:netgear:gs116e_firmware::::::::

References

kb.netgear.com/000062637/Security-Advisory-for-Missing-Function-Level-Access-Control-on-Some-Smart-Managed-Plus-Switches-PSV-2020-0383

research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

46.0%

JSON

Related for CVE-2020-35783