CVE-2019-3931

2019-04-3020:28:44

CWE-88

tenable

www.cve.org

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

44.6%

JSON

Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to argumention injection to the curl binary via crafted HTTP requests to return.cgi. A remote, authenticated attacker can use this vulnerability to upload files to the device and ultimately execute code as root.

CNA Affected

[
  {
    "product": "Crestron AirMedia",
    "vendor": "Crestron",
    "versions": [
      {
        "status": "affected",
        "version": "AM-100 firmware 1.6.0.2 and AM-101 firmware 2.7.0.2"
      }
    ]
  }
]

References

www.tenable.com/security/research/tra-2019-20