ID
VAR-202201-0642
CVE
CVE-2021-40407
TITLE
Reolink RLC-410W Operating System Command Injection Vulnerability
Trust: 1.2
sources:
CNVD: CNVD-2022-12811 //
CNNVD: CNNVD-202201-2354
DESCRIPTION
An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->domain variable, that has the value of the domain parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection. An attacker can send an HTTP request to trigger this vulnerability. (DoS) It may be in a state. Reolink Rlc-410W is a Wifi security camera from China Reolink company
Trust: 2.16
sources:
NVD: CVE-2021-40407 //
JVNDB: JVNDB-2021-018249 //
CNVD: CNVD-2022-12811
IOT TAXONOMY
| category: | ['IoT'] | sub_category: | - | Trust: 0.6 |
sources:
CNVD: CNVD-2022-12811
AFFECTED PRODUCTS
| vendor: | reolink | model: | rlc-410w | scope: | eq | version: | 3.0.0.136_20121102 | Trust: 1.0 |
| vendor: | reolink digital | model: | rlc-410w | scope: | eq | version: | rlc-410w firmware 3.0.0.136_20121102 | Trust: 0.8 |
| vendor: | reolink digital | model: | rlc-410w | scope: | eq | version: | - | Trust: 0.8 |
| vendor: | reolink | model: | rlc-410w 3.0.0.136 20121102 | scope: | - | version: | - | Trust: 0.6 |
sources:
CNVD: CNVD-2022-12811 //
JVNDB: JVNDB-2021-018249 //
NVD: CVE-2021-40407
CVSS
SEVERITY | CVSSV2 | CVSSV3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
sources:
CNVD: CNVD-2022-12811 //
JVNDB: JVNDB-2021-018249 //
CNNVD: CNNVD-202201-2354 //
NVD: CVE-2021-40407 //
NVD: CVE-2021-40407
PROBLEMTYPE DATA
| problemtype: | CWE-78 | Trust: 1.0 |
| problemtype: | OS Command injection (CWE-78) [NVD evaluation ] | Trust: 0.8 |
sources:
JVNDB: JVNDB-2021-018249 //
NVD: CVE-2021-40407
THREAT TYPE
remote
Trust: 0.6
sources:
CNNVD: CNNVD-202201-2354
TYPE
operating system commend injection
Trust: 0.6
sources:
CNNVD: CNNVD-202201-2354
PATCH
| title: | Top Page | url: | https://reolink.com/ | Trust: 0.8 |
| title: | Patch for Reolink RLC-410W Operating System Command Injection Vulnerability | url: | https://www.cnvd.org.cn/patchInfo/show/319041 | Trust: 0.6 |
| title: | Reolink Rlc-410W Fixes for operating system command injection vulnerabilities | url: | http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=180345 | Trust: 0.6 |
sources:
CNVD: CNVD-2022-12811 //
JVNDB: JVNDB-2021-018249 //
CNNVD: CNNVD-202201-2354
EXTERNAL IDS
| db: | NVD | id: | CVE-2021-40407 | Trust: 3.8 |
| db: | TALOS | id: | TALOS-2021-1424 | Trust: 2.4 |
| db: | JVNDB | id: | JVNDB-2021-018249 | Trust: 0.8 |
| db: | CNVD | id: | CNVD-2022-12811 | Trust: 0.6 |
| db: | CS-HELP | id: | SB2022012706 | Trust: 0.6 |
| db: | CNNVD | id: | CNNVD-202201-2354 | Trust: 0.6 |
sources:
CNVD: CNVD-2022-12811 //
JVNDB: JVNDB-2021-018249 //
CNNVD: CNNVD-202201-2354 //
NVD: CVE-2021-40407
REFERENCES
| url: | https://talosintelligence.com/vulnerability_reports/talos-2021-1424 | Trust: 3.0 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2021-40407 | Trust: 2.0 |
| url: | https://www.cybersecurity-help.cz/vdb/sb2022012706 | Trust: 0.6 |
sources:
CNVD: CNVD-2022-12811 //
JVNDB: JVNDB-2021-018249 //
CNNVD: CNNVD-202201-2354 //
NVD: CVE-2021-40407
CREDITS
Discovered by Francesco Benvenuto of Cisco Talos.
Trust: 0.6
sources:
CNNVD: CNNVD-202201-2354
SOURCES
| db: | CNVD | id: | CNVD-2022-12811 |
| db: | JVNDB | id: | JVNDB-2021-018249 |
| db: | CNNVD | id: | CNNVD-202201-2354 |
| db: | NVD | id: | CVE-2021-40407 |
LAST UPDATE DATE
2024-12-19T22:56:47.068000+00:00
SOURCES UPDATE DATE
| db: | CNVD | id: | CNVD-2022-12811 | date: | 2022-02-21T00:00:00 |
| db: | JVNDB | id: | JVNDB-2021-018249 | date: | 2023-04-21T06:42:00 |
| db: | CNNVD | id: | CNNVD-202201-2354 | date: | 2022-04-20T00:00:00 |
| db: | NVD | id: | CVE-2021-40407 | date: | 2024-12-19T02:00:02.193 |
SOURCES RELEASE DATE
| db: | CNVD | id: | CNVD-2022-12811 | date: | 2022-02-21T00:00:00 |
| db: | JVNDB | id: | JVNDB-2021-018249 | date: | 2023-04-21T00:00:00 |
| db: | CNNVD | id: | CNNVD-202201-2354 | date: | 2022-01-26T00:00:00 |
| db: | NVD | id: | CVE-2021-40407 | date: | 2022-01-28T20:15:11.607 |