An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The SSH Client and SSH Server pages are affected by multiple OS injection vulnerabilities due to missing sanitization of input parameters. An attacker can inject arbitrary commands in delete actions of various objects, such as server keys, users, and known hosts.
Commands are executed with root privileges.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 6
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Lantronix Eds5032_Firmware
cpe:2.3:o:lantronix:eds5032_firmware:2.1.0.0:r3:*:*:*:*:*:*
|
— | — |
|
Lantronix Eds5032
cpe:2.3:h:lantronix:eds5032:-:*:*:*:*:*:*:*
|
— | — |
|
Lantronix Eds5008_Firmware
cpe:2.3:o:lantronix:eds5008_firmware:2.1.0.0:r3:*:*:*:*:*:*
|
— | — |
|
Lantronix Eds5008
cpe:2.3:h:lantronix:eds5008:-:*:*:*:*:*:*:*
|
— | — |
|
Lantronix Eds5016_Firmware
cpe:2.3:o:lantronix:eds5016_firmware:2.1.0.0:r3:*:*:*:*:*:*
|
— | — |
|
Lantronix Eds5016
cpe:2.3:h:lantronix:eds5016:-:*:*:*:*:*:*:*
|
— | — |