Details of VAR-202112-0004

ID

VAR-202112-0004

CVE

CVE-2021-20860

TITLE

elecom lan routers cross-site request forgery vulnerability

Trust: 0.6

sources: CNVD: CNVD-2021-95486

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a remote authenticated attacker to hijack the authentication of an administrator via a specially crafted page. elecom lan routers is a router of Japan Elecom. Elecom lan routers has a cross-site request forgery vulnerability, which can be exploited by attackers to hijack administrator authentication through a specially crafted page

Trust: 1.44

sources: NVD: CVE-2021-20860 // CNVD: CNVD-2021-95486

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-95486

AFFECTED PRODUCTS

vendor:	elecom	model:	wrc-2533gst2-g	scope:	lte	version:	1.25	Trust: 1.0
vendor:	elecom	model:	wrc-2533gs2-b	scope:	lte	version:	1.52	Trust: 1.0
vendor:	elecom	model:	edwrc-2533gst2	scope:	lte	version:	1.25	Trust: 1.0
vendor:	elecom	model:	wrc-1750gsv	scope:	lte	version:	2.11	Trust: 1.0
vendor:	elecom	model:	wrc-1167gst2	scope:	lte	version:	1.25	Trust: 1.0
vendor:	elecom	model:	wrc-2533gs2-w	scope:	lte	version:	1.52	Trust: 1.0
vendor:	elecom	model:	wrc-1167gst2h	scope:	lte	version:	1.25	Trust: 1.0
vendor:	elecom	model:	wrc-2533gsta	scope:	lte	version:	1.03	Trust: 1.0
vendor:	elecom	model:	wrc-1900gst	scope:	lte	version:	1.03	Trust: 1.0
vendor:	elecom	model:	wrc-2533gst2	scope:	lte	version:	1.25	Trust: 1.0
vendor:	elecom	model:	wrc-1167gst2a	scope:	lte	version:	1.25	Trust: 1.0
vendor:	elecom	model:	wrc-2533gst	scope:	lte	version:	1.03	Trust: 1.0
vendor:	elecom	model:	wrc-2533gst2sp	scope:	lte	version:	1.25	Trust: 1.0
vendor:	elecom	model:	wrc-1750gs	scope:	lte	version:	1.03	Trust: 1.0
vendor:	elecom	model:	lan routers <=wrc-1167gst2	scope:	eq	version:	v1.25	Trust: 0.6
vendor:	elecom	model:	lan routers <=wrc-1167gst2a	scope:	eq	version:	v1.25	Trust: 0.6
vendor:	elecom	model:	lan routers <=wrc-1167gst2h	scope:	eq	version:	v1.25	Trust: 0.6
vendor:	elecom	model:	lan routers <=wrc-2533gs2-b	scope:	eq	version:	v1.52	Trust: 0.6
vendor:	elecom	model:	lan routers <=wrc-2533gs2-w	scope:	eq	version:	v1.52	Trust: 0.6
vendor:	elecom	model:	lan routers <=wrc-1750gs	scope:	eq	version:	v1.03	Trust: 0.6
vendor:	elecom	model:	lan routers <=wrc-1750gsv	scope:	eq	version:	v2.11	Trust: 0.6
vendor:	elecom	model:	lan routers <=wrc-1900gst	scope:	eq	version:	v1.03	Trust: 0.6
vendor:	elecom	model:	lan routers <=wrc-2533gst	scope:	eq	version:	v1.03	Trust: 0.6
vendor:	elecom	model:	lan routers <=wrc-2533gsta	scope:	eq	version:	v1.03	Trust: 0.6
vendor:	elecom	model:	lan routers <=wrc-2533gst2	scope:	eq	version:	v1.25	Trust: 0.6
vendor:	elecom	model:	lan routers <=wrc-2533gst2sp	scope:	eq	version:	v1.25	Trust: 0.6
vendor:	elecom	model:	lan routers <=wrc-2533gst2-g	scope:	eq	version:	v1.25	Trust: 0.6
vendor:	elecom	model:	lan routers <=edwrc-2533gst2	scope:	eq	version:	v1.25	Trust: 0.6

sources: CNVD: CNVD-2021-95486 // NVD: CVE-2021-20860

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-20860
value:	HIGH
Trust: 1.0
CNVD:	CNVD-2021-95486
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202111-2337
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2021-20860
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
CNVD:	CNVD-2021-95486
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-20860
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2021-95486 // CNNVD: CNNVD-202111-2337 // NVD: CVE-2021-20860

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.0

sources: NVD: CVE-2021-20860

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202111-2337

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-202111-2337

PATCH

title:	Patch for elecom lan routers cross-site request forgery vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/303626	Trust: 0.6
title:	elecom lan Fixes for cross-site request forgery vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=172660	Trust: 0.6

sources: CNVD: CNVD-2021-95486 // CNNVD: CNNVD-202111-2337

EXTERNAL IDS

db:	NVD	id:	CVE-2021-20860	Trust: 2.2
db:	JVN	id:	JVN88993473	Trust: 1.6
db:	CS-HELP	id:	SB2021113005	Trust: 1.2
db:	CNVD	id:	CNVD-2021-95486	Trust: 0.6
db:	CNNVD	id:	CNNVD-202111-2337	Trust: 0.6

sources: CNVD: CNVD-2021-95486 // CNNVD: CNNVD-202111-2337 // NVD: CVE-2021-20860

REFERENCES

url:	https://jvn.jp/en/jp/jvn88993473/index.html	Trust: 1.6
url:	https://www.elecom.co.jp/news/security/20211130-01/	Trust: 1.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021113005	Trust: 1.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-20860	Trust: 0.6

sources: CNVD: CNVD-2021-95486 // CNNVD: CNNVD-202111-2337 // NVD: CVE-2021-20860

SOURCES

db:	CNVD	id:	CNVD-2021-95486
db:	CNNVD	id:	CNNVD-202111-2337
db:	NVD	id:	CVE-2021-20860

LAST UPDATE DATE

2024-08-14T13:22:35.449000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-95486	date:	2021-12-09T00:00:00
db:	CNNVD	id:	CNNVD-202111-2337	date:	2021-12-08T00:00:00
db:	NVD	id:	CVE-2021-20860	date:	2021-12-02T14:01:11.917

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-95486	date:	2021-12-09T00:00:00
db:	CNNVD	id:	CNNVD-202111-2337	date:	2021-11-30T00:00:00
db:	NVD	id:	CVE-2021-20860	date:	2021-12-01T03:15:07.080