Details of VAR-202108-1625

ID

VAR-202108-1625

CVE

CVE-2021-38519

TITLE

Command injection vulnerabilities in multiple NETGEAR devices (CNVD-2021-83557)

Trust: 0.6

sources: CNVD: CNVD-2021-83557

DESCRIPTION

Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R6250 before 1.0.4.36, R6300v2 before 1.0.4.36, R6400 before 1.0.1.50, R6400v2 before 1.0.2.66, R6700v3 before 1.0.2.66, R6700 before 1.0.2.8, R6900 before 1.0.2.8, R7000 before 1.0.9.88, R6900P before 1.3.2.132, R7100LG before 1.0.0.52, R7900 before 1.0.3.10, R8000 before 1.0.4.46, R7900P before 1.4.1.50, R8000P before 1.4.1.50, and RAX80 before 1.0.1.40. Netgear NETGEAR is a router from Netgear. A hardware device that connects two or more networks and acts as a gateway between the networks. Many NETGEAR devices have security vulnerabilities. The vulnerability stems from the fact that the product does not filter special characters in user input data. Attackers can execute system commands through this vulnerability. This affects R6250 prior to 1.0.4.36, R6300v2 prior to 1.0.4.36, R6400 prior to 1.0.1.50, R6400v2 prior to 1.0.2.66, R6700v3 prior to 1.0.2.66, R6700 prior to 1.0.2.8, R6900 prior to 1.0.2.8, R7000 prior to 1.0.9.88, R6900P prior to 1.3.2.132, R7100LG prior to 1.0.0.52, R7900 prior to 1.0.3.10, R8000 prior to 1.0.4.46, R7900P prior to 1.4.1.50, R8000P prior to 1.4.1.50, and RAX80 prior to 1.0.1.40

Trust: 1.53

sources: NVD: CVE-2021-38519 // CNVD: CNVD-2021-83557 // VULMON: CVE-2021-38519

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-83557

AFFECTED PRODUCTS

vendor:	netgear	model:	r8000	scope:	lt	version:	1.0.4.46	Trust: 1.6
vendor:	netgear	model:	r6700	scope:	lt	version:	1.0.2.8	Trust: 1.6
vendor:	netgear	model:	r6900	scope:	lt	version:	1.0.2.8	Trust: 1.6
vendor:	netgear	model:	r7900	scope:	lt	version:	1.0.3.10	Trust: 1.6
vendor:	netgear	model:	r7100lg	scope:	lt	version:	1.0.0.52	Trust: 1.6
vendor:	netgear	model:	r6400v2	scope:	lt	version:	1.0.2.66	Trust: 1.6
vendor:	netgear	model:	r6900p	scope:	lt	version:	1.3.2.132	Trust: 1.6
vendor:	netgear	model:	r6400	scope:	lt	version:	1.0.1.50	Trust: 1.6
vendor:	netgear	model:	r7900p	scope:	lt	version:	1.4.1.50	Trust: 1.6
vendor:	netgear	model:	r8000p	scope:	lt	version:	1.4.1.50	Trust: 1.6
vendor:	netgear	model:	r6250	scope:	lt	version:	1.0.4.36	Trust: 1.6
vendor:	netgear	model:	r6300	scope:	lt	version:	1.0.4.36	Trust: 1.6
vendor:	netgear	model:	r6700	scope:	lt	version:	1.0.2.66	Trust: 1.6
vendor:	netgear	model:	r7000	scope:	lt	version:	1.0.9.88	Trust: 1.6
vendor:	netgear	model:	rax80	scope:	lt	version:	1.0.1.40	Trust: 1.6

sources: CNVD: CNVD-2021-83557 // NVD: CVE-2021-38519

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-38519
value:	HIGH
Trust: 1.0
cve@mitre.org:	CVE-2021-38519
value:	MEDIUM
Trust: 1.0
CNVD:	CNVD-2021-83557
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202108-956
value:	HIGH
Trust: 0.6
VULMON:	CVE-2021-38519
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-38519
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
CNVD:	CNVD-2021-83557
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-38519
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.1
Trust: 1.0
cve@mitre.org:	CVE-2021-38519
baseSeverity:	MEDIUM
baseScore:	6.3
vectorString:	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	LOW
exploitabilityScore:	0.8
impactScore:	5.5
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2021-83557 // VULMON: CVE-2021-38519 // CNNVD: CNNVD-202108-956 // NVD: CVE-2021-38519 // NVD: CVE-2021-38519

PROBLEMTYPE DATA

problemtype:

CWE-77

Trust: 1.0

sources: NVD: CVE-2021-38519

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-956

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-202108-956

PATCH

title:	Patch for Command injection vulnerabilities in multiple NETGEAR devices (CNVD-2021-83557)	url:	https://www.cnvd.org.cn/patchInfo/show/296406	Trust: 0.6
title:	Netgear NETGEAR Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=159350	Trust: 0.6

sources: CNVD: CNVD-2021-83557 // CNNVD: CNNVD-202108-956

EXTERNAL IDS

db:	NVD	id:	CVE-2021-38519	Trust: 2.3
db:	CNVD	id:	CNVD-2021-83557	Trust: 0.6
db:	CNNVD	id:	CNNVD-202108-956	Trust: 0.6
db:	VULMON	id:	CVE-2021-38519	Trust: 0.1

sources: CNVD: CNVD-2021-83557 // VULMON: CVE-2021-38519 // CNNVD: CNNVD-202108-956 // NVD: CVE-2021-38519

REFERENCES

url:	https://kb.netgear.com/000063762/security-advisory-for-post-authentication-command-injection-on-some-routers-psv-2018-0564	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-38519	Trust: 1.2
url:	https://cwe.mitre.org/data/definitions/77.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2021-83557 // VULMON: CVE-2021-38519 // CNNVD: CNNVD-202108-956 // NVD: CVE-2021-38519

SOURCES

db:	CNVD	id:	CNVD-2021-83557
db:	VULMON	id:	CVE-2021-38519
db:	CNNVD	id:	CNNVD-202108-956
db:	NVD	id:	CVE-2021-38519

LAST UPDATE DATE

2024-08-14T14:50:11.928000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-83557	date:	2021-11-04T00:00:00
db:	VULMON	id:	CVE-2021-38519	date:	2021-08-19T00:00:00
db:	CNNVD	id:	CNNVD-202108-956	date:	2021-08-20T00:00:00
db:	NVD	id:	CVE-2021-38519	date:	2021-08-19T11:31:24.787

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-83557	date:	2021-08-19T00:00:00
db:	VULMON	id:	CVE-2021-38519	date:	2021-08-11T00:00:00
db:	CNNVD	id:	CNNVD-202108-956	date:	2021-08-10T00:00:00
db:	NVD	id:	CVE-2021-38519	date:	2021-08-11T00:15:40.490