Details of VAR-202104-1187

ID

VAR-202104-1187

CVE

CVE-2021-27710

TITLE

Totolink X5000R OS Command Injection Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2022-13200

DESCRIPTION

Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system function with untrusted input. In the function, "ip" parameter is directly passed to the attacker, allowing them to control the "ip" field to attack the OS. The Totolink X5000R is a router from the Chinese company Totolink

Trust: 1.53

sources: NVD: CVE-2021-27710 // CNVD: CNVD-2022-13200 // VULMON: CVE-2021-27710

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-13200

AFFECTED PRODUCTS

vendor:	totolink	model:	x5000r	scope:	eq	version:	9.1.0u.6118_b20201102	Trust: 1.0
vendor:	totolink	model:	a720r	scope:	eq	version:	4.1.5cu.470_b20200911	Trust: 1.0
vendor:	totolink	model:	x5000r 9.1.0u.6118 b20201102	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2022-13200 // NVD: CVE-2021-27710

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-27710
value:	CRITICAL
Trust: 1.0
CNVD:	CNVD-2022-13200
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202104-1152
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2021-27710
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-27710
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
CNVD:	CNVD-2022-13200
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-27710
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2022-13200 // VULMON: CVE-2021-27710 // CNNVD: CNNVD-202104-1152 // NVD: CVE-2021-27710

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.0

sources: NVD: CVE-2021-27710

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202104-1152

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202104-1152

EXTERNAL IDS

db:	NVD	id:	CVE-2021-27710	Trust: 2.3
db:	CNVD	id:	CNVD-2022-13200	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-1152	Trust: 0.6
db:	VULMON	id:	CVE-2021-27710	Trust: 0.1

sources: CNVD: CNVD-2022-13200 // VULMON: CVE-2021-27710 // CNNVD: CNNVD-202104-1152 // NVD: CVE-2021-27710

REFERENCES

url:	https://hackmd.io/hy3ovgtcqiuqatv9fdylhw	Trust: 2.3
url:	https://hackmd.io/kjxzqdjdrjourjozzxqo_a	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-27710	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/78.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2022-13200 // VULMON: CVE-2021-27710 // CNNVD: CNNVD-202104-1152 // NVD: CVE-2021-27710

SOURCES

db:	CNVD	id:	CNVD-2022-13200
db:	VULMON	id:	CVE-2021-27710
db:	CNNVD	id:	CNNVD-202104-1152
db:	NVD	id:	CVE-2021-27710

LAST UPDATE DATE

2024-11-23T22:57:57.325000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-13200	date:	2022-02-22T00:00:00
db:	VULMON	id:	CVE-2021-27710	date:	2021-04-21T00:00:00
db:	CNNVD	id:	CNNVD-202104-1152	date:	2022-03-24T00:00:00
db:	NVD	id:	CVE-2021-27710	date:	2024-11-21T05:58:28.120

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-13200	date:	2022-02-18T00:00:00
db:	VULMON	id:	CVE-2021-27710	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202104-1152	date:	2021-04-14T00:00:00
db:	NVD	id:	CVE-2021-27710	date:	2021-04-14T18:15:14.377