CVE-2019-7479 : A vulnerability in SonicOS allow authenticated read-only admin can elevate permi

A vulnerability in SonicOS allow authenticated read-only admin can elevate permissions to configuration mode. This vulnerability affected SonicOS Gen 5 version 5.9.1.12-4o and earlier, Gen 6 version 6.2.7.4-32n, 6.5.1.4-4n, 6.5.2.3-4n, 6.5.3.3-3n, 6.2.7.10-3n, 6.4.1.0-3n, 6.5.3.3-3n, 6.5.1.9-4n and SonicOSv 6.5.0.2-8v_RC363 (VMWARE), 6.5.0.2.8v_RC367 (AZURE), SonicOSv 6.5.0.2.8v_RC368 (AWS), SonicOSv 6.5.0.2.8v_RC366 (HYPER_V).

Published 2019-12-31 02:15:11

Updated 2020-10-09 13:37:53

Source SonicWALL, Inc.

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2019-7479

Sonicwall » Sonicos
Versions up to, including, (<=) 5.9.1.12-4o
cpe:2.3:o:sonicwall:sonicos:*:*:*:*:*:*:*:*
Matching versions
Sonicwall » Sonicos » Version: 6.2.7.4-32n
cpe:2.3:o:sonicwall:sonicos:6.2.7.4-32n:*:*:*:*:*:*:*
Matching versions
Sonicwall » Sonicos » Version: 6.2.7.10-3n
cpe:2.3:o:sonicwall:sonicos:6.2.7.10-3n:*:*:*:*:*:*:*
Matching versions
Sonicwall » Sonicos » Version: 6.4.1.0-3n
cpe:2.3:o:sonicwall:sonicos:6.4.1.0-3n:*:*:*:*:*:*:*
Matching versions
Sonicwall » Sonicos » Version: 6.5.1.4-4n
cpe:2.3:o:sonicwall:sonicos:6.5.1.4-4n:*:*:*:*:*:*:*
Matching versions
Sonicwall » Sonicos » Version: 6.5.1.9-4n
cpe:2.3:o:sonicwall:sonicos:6.5.1.9-4n:*:*:*:*:*:*:*
Matching versions
Sonicwall » Sonicos » Version: 6.5.2.3-4n
cpe:2.3:o:sonicwall:sonicos:6.5.2.3-4n:*:*:*:*:*:*:*
Matching versions
Sonicwall » Sonicos » Version: 6.5.3.3-3n
cpe:2.3:o:sonicwall:sonicos:6.5.3.3-3n:*:*:*:*:*:*:*
Matching versions
Sonicwall » Sonicosv » Version: 6.5.0.2.8v
cpe:2.3:o:sonicwall:sonicosv:6.5.0.2.8v:*:*:*:*:*:*:*
Matching versions
Sonicwall » Sonicosv » Version: 6.5.0.2.8v Update Rc363
cpe:2.3:o:sonicwall:sonicosv:6.5.0.2.8v:rc363:*:*:*:*:*:*
Matching versions
Sonicwall » Sonicosv » Version: 6.5.0.2.8v Update Rc366
cpe:2.3:o:sonicwall:sonicosv:6.5.0.2.8v:rc366:*:*:*:*:*:*
Matching versions
Sonicwall » Sonicosv » Version: 6.5.0.2.8v Update Rc367
cpe:2.3:o:sonicwall:sonicosv:6.5.0.2.8v:rc367:*:*:*:*:*:*
Matching versions
Sonicwall » Sonicosv » Version: 6.5.0.2.8v Update Rc368
cpe:2.3:o:sonicwall:sonicosv:6.5.0.2.8v:rc368:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-7479

EPSS FAQ

0.17%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 35 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-7479

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P	8.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.2	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	1.2	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-7479

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Assigned by: nvd@nist.gov (Primary)
CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Assigned by: PSIRT@sonicwall.com (Secondary)

References for CVE-2019-7479

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0012

Security Advisory
Vendor Advisory

Jump to

Vulnerability Details : CVE-2019-7479

Products affected by CVE-2019-7479

Exploit prediction scoring system (EPSS) score for CVE-2019-7479

CVSS scores for CVE-2019-7479

CWE ids for CVE-2019-7479

References for CVE-2019-7479