Main Vulnerability Database Vulnerabilities #VU21235

Input validation error in Keeper K5 - CVE-2019-16398

Published: September 20, 2019

Vulnerability identifier: #VU21235

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: CVE-2019-16398

CWE-ID: CWE-20

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Keeper

Affected software:
Keeper K5

Detailed vulnerability description

The vulnerability allows a local attacker to execute arbitrary code on the target device.

The vulnerability exists due to insufficient validation of user-supplied input. An attacker with physical access to the device can insert an SD card containing a file named "zskj_script_run.sh" that executes arbitrary code.

How to mitigate CVE-2019-16398

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Sources

https://gitlab.com/crypt0crc/cve-2019-16398
https://www.youtube.com/watch?v=S_cTme7m8Ng&feature=youtu.be

Input validation error in Keeper K5 - CVE-2019-16398

Detailed vulnerability description

How to mitigate CVE-2019-16398

Sources

Please verify you're human