Vulnerability Details : CVE-2019-9583
eQ-3 Homematic CCU2 and CCU3 obtain session IDs without login. This allows a Denial of Service and is a starting point for other attacks. Affected versions for CCU2: 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7, 2.47.10, 2.47.12, 2.47.15. Affected versions for CCU3: 3.41.11, 3.43.16, 3.45.5, 3.45.7, 3.47.10, 3.47.15.
Vulnerability category: Denial of service
Products affected by CVE-2019-9583
- cpe:2.3:o:eq-3:homematic_ccu2_firmware:2.41.5:*:*:*:*:*:*:*
- cpe:2.3:o:eq-3:homematic_ccu2_firmware:2.41.9:*:*:*:*:*:*:*
- cpe:2.3:o:eq-3:homematic_ccu2_firmware:2.35.16:*:*:*:*:*:*:*
- cpe:2.3:o:eq-3:homematic_ccu2_firmware:2.45.7:*:*:*:*:*:*:*
- cpe:2.3:o:eq-3:homematic_ccu2_firmware:2.47.10:*:*:*:*:*:*:*
- cpe:2.3:o:eq-3:homematic_ccu2_firmware:2.47.12:*:*:*:*:*:*:*
- cpe:2.3:o:eq-3:homematic_ccu2_firmware:2.47.15:*:*:*:*:*:*:*
- cpe:2.3:o:eq-3:homematic_ccu2_firmware:2.41.8:*:*:*:*:*:*:*
- cpe:2.3:o:eq-3:homematic_ccu2_firmware:2.45.6:*:*:*:*:*:*:*
- cpe:2.3:o:eq-3:homematic_ccu2_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.47.10:*:*:*:*:*:*:*
- cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.41.11:*:*:*:*:*:*:*
- cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.43.16:*:*:*:*:*:*:*
- cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.45.5:*:*:*:*:*:*:*
- cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.45.7:*:*:*:*:*:*:*
- cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.47.15:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-9583
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 46 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-9583
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:P |
10.0
|
4.9
|
NIST | |
8.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H |
3.9
|
4.2
|
NIST |
CWE ids for CVE-2019-9583
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-9583
-
https://psytester.github.io/CVE-2019-9583/
CVE-2019-9583 eQ-3 Homematic CCU2 and CCU3 obtain session IDs without login. This allows a Denial of Service and is a starting point for other attacks – psytester – Testing is my passion. Sharing knowExploit;Third Party Advisory
-
https://github.com/psytester/psytester.github.io/blob/master/_posts/hacking_and_pentests/CVEs/2019-03-27-CVE-2019-9583.md
psytester.github.io/2019-03-27-CVE-2019-9583.md at master · psytester/psytester.github.io · GitHubExploit;Third Party Advisory
Jump to