VAR-201810-0210
Vulnerability from variot - Updated: 2025-01-30 19:37A command injection vulnerability in the setup API in the Neato Botvac Connected 2.2.0 allows network attackers to execute arbitrary commands via shell metacharacters in the ntp field within JSON data to the /robot/initialize endpoint. Neato Botvac Connected Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NeatoBotvacConnected is a vacuum robotic device from NeatoRobotics, USA. There is a command injection vulnerability in the setupAPI in NeatoBotvacConnected version 2.2.0. Neato Botvac Connected is a vacuum robot device from Neato Robotics in the United States
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201810-0210",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "botvac connected",
"scope": "eq",
"trust": 1.0,
"vendor": "neatorobotics",
"version": "2.2.0"
},
{
"model": "botvac connected",
"scope": "eq",
"trust": 0.8,
"vendor": "neato robotics",
"version": "2.2.0"
},
{
"model": "botvac connected",
"scope": "eq",
"trust": 0.6,
"vendor": "neato",
"version": "2.2.0"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21849"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013876"
},
{
"db": "NVD",
"id": "CVE-2018-18638"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:neato:botvac_connected_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-013876"
}
]
},
"cve": "CVE-2018-18638",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "CVE-2018-18638",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2018-21849",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "VHN-129217",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.2,
"id": "CVE-2018-18638",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2018-18638",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2018-18638",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2018-21849",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201810-1241",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-129217",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21849"
},
{
"db": "VULHUB",
"id": "VHN-129217"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013876"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1241"
},
{
"db": "NVD",
"id": "CVE-2018-18638"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A command injection vulnerability in the setup API in the Neato Botvac Connected 2.2.0 allows network attackers to execute arbitrary commands via shell metacharacters in the ntp field within JSON data to the /robot/initialize endpoint. Neato Botvac Connected Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NeatoBotvacConnected is a vacuum robotic device from NeatoRobotics, USA. There is a command injection vulnerability in the setupAPI in NeatoBotvacConnected version 2.2.0. Neato Botvac Connected is a vacuum robot device from Neato Robotics in the United States",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-18638"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013876"
},
{
"db": "CNVD",
"id": "CNVD-2018-21849"
},
{
"db": "VULHUB",
"id": "VHN-129217"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-18638",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013876",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1241",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2018-21849",
"trust": 0.6
},
{
"db": "OTHER",
"id": "NONE",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-129217",
"trust": 0.1
}
],
"sources": [
{
"db": "OTHER",
"id": null
},
{
"db": "CNVD",
"id": "CNVD-2018-21849"
},
{
"db": "VULHUB",
"id": "VHN-129217"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013876"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1241"
},
{
"db": "NVD",
"id": "CVE-2018-18638"
}
]
},
"id": "VAR-201810-0210",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "OTHER",
"id": null
},
{
"db": "CNVD",
"id": "CNVD-2018-21849"
},
{
"db": "VULHUB",
"id": "VHN-129217"
}
],
"trust": 1.38928573
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
},
{
"category": [
"industrial device"
],
"sub_category": "robot",
"trust": 0.1
}
],
"sources": [
{
"db": "OTHER",
"id": null
},
{
"db": "CNVD",
"id": "CNVD-2018-21849"
}
]
},
"last_update_date": "2025-01-30T19:37:00.628000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.neatorobotics.com/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-013876"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.1
},
{
"problemtype": "CWE-77",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-129217"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013876"
},
{
"db": "NVD",
"id": "CVE-2018-18638"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/security-in-a-vacuum-hacking-the-neato-botvac-connected-part-1/"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-18638"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-18638"
},
{
"trust": 0.1,
"url": "https://ieeexplore.ieee.org/abstract/document/10769424"
}
],
"sources": [
{
"db": "OTHER",
"id": null
},
{
"db": "CNVD",
"id": "CNVD-2018-21849"
},
{
"db": "VULHUB",
"id": "VHN-129217"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013876"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1241"
},
{
"db": "NVD",
"id": "CVE-2018-18638"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "OTHER",
"id": null
},
{
"db": "CNVD",
"id": "CNVD-2018-21849"
},
{
"db": "VULHUB",
"id": "VHN-129217"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013876"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1241"
},
{
"db": "NVD",
"id": "CVE-2018-18638"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-26T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-21849"
},
{
"date": "2018-10-24T00:00:00",
"db": "VULHUB",
"id": "VHN-129217"
},
{
"date": "2019-03-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-013876"
},
{
"date": "2018-10-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201810-1241"
},
{
"date": "2018-10-24T22:29:02.043000",
"db": "NVD",
"id": "CVE-2018-18638"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-26T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-21849"
},
{
"date": "2019-10-03T00:00:00",
"db": "VULHUB",
"id": "VHN-129217"
},
{
"date": "2019-03-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-013876"
},
{
"date": "2019-10-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201810-1241"
},
{
"date": "2024-11-21T03:56:16.657000",
"db": "NVD",
"id": "CVE-2018-18638"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201810-1241"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Neato Botvac Connected Command Injection Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21849"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013876"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1241"
}
],
"trust": 2.0
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "operating system commend injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201810-1241"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…