Lucene search

MitreCVE-2018-14700

HistoryDec 03, 2018 - 10:29 p.m.

CVE-2018-14700

2018-12-0322:29:00

CWE-532

mitre

web.nvd.nist.gov

cve-2018-14700

incorrect access control

drobo 5n2 nas

mysql

log file

unauthenticated access

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.9

Confidence

High

EPSS

0.006

Percentile

79.3%

JSON

Incorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve MySQL log files via the “name” URL parameter.

Affected configurations

Nvd

Node

drobo5n2_firmwareMatch4.0.5-13.28.96115

AND

drobo5n2Match-

VendorProductVersionCPE
drobo5n2_firmware4.0.5-13.28.96115cpe:2.3:o:drobo:5n2_firmware:4.0.5-13.28.96115:*:*:*:*:*:*:*
drobo5n2-cpe:2.3:h:drobo:5n2:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
drobo	5n2_firmware	4.0.5-13.28.96115	cpe:2.3:o:drobo:5n2_firmware:4.0.5-13.28.96115:::::::*
drobo	5n2	-	cpe:2.3:h:drobo:5n2:-:::::::*

References

blog.securityevaluators.com/call-me-a-doctor-new-vulnerabilities-in-drobo5n2-4f1d885df7fc

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.9

Confidence

High

EPSS

0.006

Percentile

79.3%

JSON

Related for CVE-2018-14700