Details of VAR-202203-1983

ID

VAR-202203-1983

CVE

CVE-2021-46009

TITLE

Totolink A3100R Access Control Error Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2022-55139 // CNNVD: CNNVD-202203-2633

DESCRIPTION

In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies. TOTOLINK of A3100R Firmware has a lack of authentication vulnerability for critical functionality.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TotoLink A3100R is a series of wireless routers from TotoLink, a Taiwanese company. TotoLink A3100R V5.9c.4577 version has an access control error vulnerability

Trust: 2.16

sources: NVD: CVE-2021-46009 // JVNDB: JVNDB-2022-007488 // CNVD: CNVD-2022-55139

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-55139

AFFECTED PRODUCTS

vendor:	totolink	model:	a3100r	scope:	eq	version:	5.9c.4577	Trust: 1.0
vendor:	totolink	model:	a3100r	scope:	eq	version:	a3100r firmware 5.9c.4577	Trust: 0.8
vendor:	totolink	model:	a3100r	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	a3100r	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	a3100r v5.9c.4577	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2022-55139 // JVNDB: JVNDB-2022-007488 // NVD: CVE-2021-46009

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-46009
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2021-46009
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2022-55139
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202203-2633
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2021-46009
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2022-55139
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-46009
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2021-46009
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-55139 // JVNDB: JVNDB-2022-007488 // CNNVD: CNNVD-202203-2633 // NVD: CVE-2021-46009

PROBLEMTYPE DATA

problemtype:	CWE-306	Trust: 1.0
problemtype:	Lack of authentication for critical features (CWE-306) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-007488 // NVD: CVE-2021-46009

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202203-2633

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202203-2633

EXTERNAL IDS

db:	NVD	id:	CVE-2021-46009	Trust: 3.8
db:	JVNDB	id:	JVNDB-2022-007488	Trust: 0.8
db:	CNVD	id:	CNVD-2022-55139	Trust: 0.6
db:	CNNVD	id:	CNNVD-202203-2633	Trust: 0.6

sources: CNVD: CNVD-2022-55139 // JVNDB: JVNDB-2022-007488 // CNNVD: CNNVD-202203-2633 // NVD: CVE-2021-46009

REFERENCES

url:	http://totolink.com	Trust: 2.4
url:	https://hackmd.io/-riyp6q-recx-dkkwfbtlg	Trust: 2.4
url:	http://a3100r.com	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-46009	Trust: 1.4
url:	https://cxsecurity.com/cveshow/cve-2021-46009/	Trust: 0.6

sources: CNVD: CNVD-2022-55139 // JVNDB: JVNDB-2022-007488 // CNNVD: CNNVD-202203-2633 // NVD: CVE-2021-46009

SOURCES

db:	CNVD	id:	CNVD-2022-55139
db:	JVNDB	id:	JVNDB-2022-007488
db:	CNNVD	id:	CNNVD-202203-2633
db:	NVD	id:	CVE-2021-46009

LAST UPDATE DATE

2024-11-23T22:04:56.156000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-55139	date:	2022-08-04T00:00:00
db:	JVNDB	id:	JVNDB-2022-007488	date:	2023-07-14T08:39:00
db:	CNNVD	id:	CNNVD-202203-2633	date:	2022-04-06T00:00:00
db:	NVD	id:	CVE-2021-46009	date:	2024-11-21T06:33:28.383

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-55139	date:	2022-08-04T00:00:00
db:	JVNDB	id:	JVNDB-2022-007488	date:	2023-07-14T00:00:00
db:	CNNVD	id:	CNNVD-202203-2633	date:	2022-03-30T00:00:00
db:	NVD	id:	CVE-2021-46009	date:	2022-03-30T23:15:07.907