Details of VAR-202108-1626

ID

VAR-202108-1626

CVE

CVE-2021-38520

TITLE

plural NETGEAR Command injection vulnerability in device

Trust: 0.8

sources: JVNDB: JVNDB-2021-010410

DESCRIPTION

Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R6400 before 1.0.1.52, R6400v2 before 1.0.4.84, R6700v3 before 1.0.4.84, R6700v2 before 1.2.0.62, R6900v2 before 1.2.0.62, and R7000P before 1.3.2.124. plural NETGEAR A command injection vulnerability exists in the device.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Netgear NETGEAR is a router from Netgear. A hardware device that connects two or more networks and acts as a gateway between networks. A variety of NETGEAR device command injection vulnerabilities, the vulnerability stems from the product does not filter special characters in user input data, attackers can execute system commands through this vulnerability. This affects R6400 prior to 1.0.1.52, R6400v2 prior to 1.0.4.84, R6700v3 prior to 1.0.4.84, R6700v2 prior to 1.2.0.62, R6900v2 prior to 1.2.0.62, and R7000P prior to 1.3.2.124

Trust: 2.25

sources: NVD: CVE-2021-38520 // JVNDB: JVNDB-2021-010410 // CNVD: CNVD-2021-83563 // VULMON: CVE-2021-38520

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-83563

AFFECTED PRODUCTS

vendor:	netgear	model:	r6400	scope:	lt	version:	1.0.1.52	Trust: 1.6
vendor:	netgear	model:	r6400	scope:	lt	version:	1.0.4.84	Trust: 1.6
vendor:	netgear	model:	r6700	scope:	lt	version:	1.2.0.62	Trust: 1.6
vendor:	netgear	model:	r6900	scope:	lt	version:	1.2.0.62	Trust: 1.6
vendor:	netgear	model:	r7000p	scope:	lt	version:	1.3.2.124	Trust: 1.6
vendor:	netgear	model:	r6700	scope:	lt	version:	1.0.4.84	Trust: 1.6
vendor:	ネットギア	model:	r6700	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	r6900	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	r7000p	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	r6400	scope:	-	version:	-	Trust: 0.8

sources: CNVD: CNVD-2021-83563 // JVNDB: JVNDB-2021-010410 // NVD: CVE-2021-38520

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-38520
value:	HIGH
Trust: 1.0
cve@mitre.org:	CVE-2021-38520
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-38520
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2021-83563
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202108-1053
value:	HIGH
Trust: 0.6
VULMON:	CVE-2021-38520
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-38520
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2021-83563
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-38520
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.1
Trust: 1.0
cve@mitre.org:	CVE-2021-38520
baseSeverity:	MEDIUM
baseScore:	6.6
vectorString:	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.7
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2021-38520
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-83563 // VULMON: CVE-2021-38520 // JVNDB: JVNDB-2021-010410 // CNNVD: CNNVD-202108-1053 // NVD: CVE-2021-38520 // NVD: CVE-2021-38520

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.0
problemtype:	Command injection (CWE-77) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-010410 // NVD: CVE-2021-38520

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-1053

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-202108-1053

PATCH

title:	Security Advisory for Post-Authentication Command Injection on Some Routers, PSV-2018-0565	url:	https://kb.netgear.com/000063763/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-Routers-PSV-2018-0565	Trust: 0.8
title:	Patch for Command injection vulnerabilities in multiple NETGEAR devices	url:	https://www.cnvd.org.cn/patchInfo/show/296271	Trust: 0.6
title:	Netgear NETGEAR Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=159426	Trust: 0.6

sources: CNVD: CNVD-2021-83563 // JVNDB: JVNDB-2021-010410 // CNNVD: CNNVD-202108-1053

EXTERNAL IDS

db:	NVD	id:	CVE-2021-38520	Trust: 3.9
db:	JVNDB	id:	JVNDB-2021-010410	Trust: 0.8
db:	CNVD	id:	CNVD-2021-83563	Trust: 0.6
db:	CNNVD	id:	CNNVD-202108-1053	Trust: 0.6
db:	VULMON	id:	CVE-2021-38520	Trust: 0.1

sources: CNVD: CNVD-2021-83563 // VULMON: CVE-2021-38520 // JVNDB: JVNDB-2021-010410 // CNNVD: CNNVD-202108-1053 // NVD: CVE-2021-38520

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2021-38520	Trust: 2.0
url:	https://kb.netgear.com/000063763/security-advisory-for-post-authentication-command-injection-on-some-routers-psv-2018-0565	Trust: 1.7
url:	https://cwe.mitre.org/data/definitions/77.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2021-83563 // VULMON: CVE-2021-38520 // JVNDB: JVNDB-2021-010410 // CNNVD: CNNVD-202108-1053 // NVD: CVE-2021-38520

SOURCES

db:	CNVD	id:	CNVD-2021-83563
db:	VULMON	id:	CVE-2021-38520
db:	JVNDB	id:	JVNDB-2021-010410
db:	CNNVD	id:	CNNVD-202108-1053
db:	NVD	id:	CVE-2021-38520

LAST UPDATE DATE

2024-08-14T14:25:15.592000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-83563	date:	2021-11-04T00:00:00
db:	VULMON	id:	CVE-2021-38520	date:	2021-08-18T00:00:00
db:	JVNDB	id:	JVNDB-2021-010410	date:	2022-07-01T01:38:00
db:	CNNVD	id:	CNNVD-202108-1053	date:	2021-08-19T00:00:00
db:	NVD	id:	CVE-2021-38520	date:	2021-08-18T20:23:09.827

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-83563	date:	2021-08-12T00:00:00
db:	VULMON	id:	CVE-2021-38520	date:	2021-08-11T00:00:00
db:	JVNDB	id:	JVNDB-2021-010410	date:	2022-07-01T00:00:00
db:	CNNVD	id:	CNNVD-202108-1053	date:	2021-08-10T00:00:00
db:	NVD	id:	CVE-2021-38520	date:	2021-08-11T00:15:45.320