NVD Vulnerability Detail

CVE-2020-10974

Summary	An issue was discovered affecting a backup feature where a crafted POST request returns the current configuration of the device in cleartext, including the administrator password. No authentication is required. Affected devices: Wavlink WN575A3, Wavlink WN579G3, Wavlink WN531A6, Wavlink WN535G3, Wavlink WN530H4, Wavlink WN57X93, Wavlink WN572HG3, Wavlink WN575A4, Wavlink WN578A2, Wavlink WN579G3, Wavlink WN579X3, and Jetstream AC3000/ERAC3000
Publication Date	May 8, 2020, 3:15 a.m.
Registration Date	Jan. 26, 2021, 11:50 a.m.
Last Update	Nov. 21, 2024, 1:56 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:wavlink:wl-wn575a3_firmware:rpt75a3.v4300.180801:::::::*
execution environment
1	cpe:2.3:h:wavlink:wl-wn575a3:-:::::::*

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:wavlink:wl-wn579g3_firmware:m79x3.v5030.180719:::::::*
execution environment
1	cpe:2.3:h:wavlink:wl-wn579g3:-:::::::*

Configuration12		or higher	or less	more than	less than
cpe:2.3:o:wavlink:jetstream_ac3000_firmware:-:::::::*
execution environment
1	cpe:2.3:h:wavlink:jetstream_ac3000:-:::::::*

Configuration13		or higher	or less	more than	less than
cpe:2.3:o:wavlink:jetstream_erac3000_firmware:-:::::::*
execution environment
1	cpe:2.3:h:wavlink:jetstream_erac3000:-:::::::*

Related information, measures and tools

No	URL	タグ
1	https://github.com/Roni-Carta/nyra	Not Applicable Third Party Advisory
2	https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10974	Third Party Advisory
3	https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10974-affected_devices	Third Party Advisory
4	https://github.com/sudo-jtcsec/Nyra	Broken Link
5	https://github.com/Roni-Carta/nyra	Not Applicable Third Party Advisory
6	https://github.com/sudo-jtcsec/Nyra	Broken Link
7	https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10974-affected_devices	Third Party Advisory
8	https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10974	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-306	重要な機能に対する認証の欠如解説	https://cwe.mitre.org/data/definitions/306.html

JVN Vulnerability Information

Wavlink WL-WN579G3 および WL-WN575A3 デバイスにおける認証情報の不十分な保護に関する脆弱性

Title	Wavlink WL-WN579G3 および WL-WN575A3 デバイスにおける認証情報の不十分な保護に関する脆弱性
Summary	Wavlink WL-WN579G3 および WL-WN575A3 デバイスには、認証情報の不十分な保護に関する脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	April 22, 2020, midnight
Registration Date	June 11, 2020, 5:11 p.m.
Last Update	June 11, 2020, 5:11 p.m.

Affected System

WAVLINK

WL-WN575A3 ファームウェア RPT75A3.V4300.180801

WL-WN579G3 ファームウェア M79X3.V5030.180719

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-10974	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10974
National Vulnerability Database (NVD)
2	CVE-2020-10974	https://nvd.nist.gov/vuln/detail/CVE-2020-10974
関連文書
3	CVE-2020-10974	https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10974

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-522	https://cwe.mitre.org/data/definitions/522.html

ベンダー情報

No	Name	URL
WAVLINK
1	Top Page	https://www.wavlink.com/en_us/index.html

Change Log

No	Changed Details	Date of change
1	[2020年06月11日] 掲載	June 11, 2020, 5:11 p.m.