Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2019-19598

Improper Authentication

Published: Dec 05, 2019 | Modified: Dec 14, 2019
CVSS 3.x
8.8
HIGH
Source:
NVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
8.3 HIGH
AV:A/AC:L/Au:N/C:C/I:C/A:C
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2019-19598
CWEhttps://cwe.mitre.org/data/definitions/287.html

D-Link DAP-1860 devices before v1.04b03 Beta allow access to administrator functions without authentication via the HNAP_AUTH header timestamp value. In HTTP requests, part of the HNAP_AUTH header is the timestamp used to determine the time when the user sent the request. If this value is equal to the value stored in the devices /var/hnap/timestamp file, the request will pass the HNAP_AUTH check function.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name Vendor Start Version End Version
Dap-1860_firmware Dlink 1.01b06 (including) 1.01b06 (including)
Dap-1860_firmware Dlink 1.02b01 (including) 1.02b01 (including)
Dap-1860_firmware Dlink 1.04b01 (including) 1.04b01 (including)

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use