CVE-2017-18806 : Certain NETGEAR devices are affected by command injection. This affects WAC510 before 1.3.0.10, WAC120 before 2.1.4, WND

Certain NETGEAR devices are affected by command injection. This affects WAC510 before 1.3.0.10, WAC120 before 2.1.4, WNDAP620 before 2.1.3, WND930 before 2.1.2, WN604 before 3.3.7, WNDAP660 before 3.7.4.0, WNDAP350 before 3.7.4.0, WNAP320 before 3.7.4.0, WNAP210v2 before 3.7.4.0, and WNDAP360 before 3.7.4.0.

Published 2020-04-21 16:15:51

Updated 2020-04-23 20:22:30

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2017-18806

Probability of exploitation activity in the next 30 days: 0.04%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 10 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2017-18806

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.6	MEDIUM	AV:L/AC:L/Au:N/C:P/I:P/A:P	3.9	6.4	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
6.7	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	0.8	5.9	MITRE
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
6.7	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	0.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-18806

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-18806

https://kb.netgear.com/000049061/Security-Advisory-for-Command-Injection-Vulnerability-on-Some-Wireless-Access-Points-PSV-2017-2214

Security Advisory for Command Injection Vulnerability on Some Wireless Access Points, PSV-2017-2214 | Answer | NETGEAR Support
Vendor Advisory

Products affected by CVE-2017-18806

Netgear » Wnap320 Firmware
Versions before (<) 3.7.4.0
cpe:2.3:o:netgear:wnap320_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wnap320 » Version: N/A
Netgear » Wndap350 Firmware
Versions before (<) 3.7.4.0
cpe:2.3:o:netgear:wndap350_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wndap350 » Version: N/A
Netgear » Wndap360 Firmware
Versions before (<) 3.7.4.0
cpe:2.3:o:netgear:wndap360_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wndap360 » Version: N/A
Netgear » Wn604 Firmware
Versions before (<) 3.3.7
cpe:2.3:o:netgear:wn604_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wn604 » Version: N/A
Netgear » Wndap660 Firmware
Versions before (<) 3.7.4.0
cpe:2.3:o:netgear:wndap660_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wndap660 » Version: N/A
Netgear » Wnd930 Firmware
Versions before (<) 2.1.2
cpe:2.3:o:netgear:wnd930_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wnd930 » Version: N/A
Netgear » Wnap210 Firmware
Versions before (<) 3.7.4.0
cpe:2.3:o:netgear:wnap210_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wnap210 » Version: V2
Netgear » Wndap620 Firmware
Versions before (<) 2.1.3
cpe:2.3:o:netgear:wndap620_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wndap620 » Version: N/A
Netgear » Wac120 Firmware
Versions before (<) 2.1.4
cpe:2.3:o:netgear:wac120_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wac120 » Version: N/A
Netgear » Wac510 Firmware
Versions before (<) 1.3.0.10
cpe:2.3:o:netgear:wac510_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wac510 » Version: N/A

Vulnerability Details : CVE-2017-18806

Exploit prediction scoring system (EPSS) score for CVE-2017-18806

CVSS scores for CVE-2017-18806

CWE ids for CVE-2017-18806

References for CVE-2017-18806

Products affected by CVE-2017-18806