CVE-2019-7642

CWE-306 — Missing Authentication3 documents3 sources

Severity

7.5HIGH

EPSS

10.9%

top 6.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dlink Dir-816 Firmware Dlink Dir-816l Firmware Dlink Dir-817lw Firmware +2 more

Timeline

PublishedMar 25

Latest updateMay 13

Description

D-Link routers with the mydlink feature have some web interfaces without authentication requirements. An attacker can remotely obtain users' DNS query logs and login logs. Vulnerable targets include but are not limited to the latest firmware versions of DIR-817LW (A1-1.04), DIR-816L (B1-2.06), DIR-816 (B1-2.06?), DIR-850L (A1-1.09), and DIR-868L (A1-1.10).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDdlink/dir-816l_firmware2.06

▶NVDdlink/dir-850l_firmware1.09

▶NVDdlink/dir-868l_firmware1.10

▶NVDdlink/dir-817lw_firmware1.04

▶NVDdlink/dir-816_firmware2.06

🔴Vulnerability Details

GHSA

GHSA-6388-29mv-4hjx: D-Link routers with the mydlink feature have some web interfaces without authentication requirements↗2022-05-13

▶

CVEList

CVE-2019-7642: D-Link routers with the mydlink feature have some web interfaces without authentication requirements↗2019-03-25

▶