Lucene search

[email protected]CVE-2021-33514

HistoryMay 21, 2021 - 11:15 p.m.

CVE-2021-33514

2021-05-2123:15:00

CWE-78

[email protected]

web.nvd.nist.gov

netgear

command injection

vulnerability

cgi application

cve-2021-33514

nvd

security issue

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.063 Low

EPSS

Percentile

93.5%

JSON

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker via the vulnerable /sqfs/lib/libsal.so.0.0 library used by a CGI application, as demonstrated by setup.cgi?token=‘;$HTTP_USER_AGENT;’ with an OS command in the User-Agent field. This affects GC108P before 1.0.7.3, GC108PP before 1.0.7.3, GS108Tv3 before 7.0.6.3, GS110TPPv1 before 7.0.6.3, GS110TPv3 before 7.0.6.3, GS110TUPv1 before 1.0.4.3, GS710TUPv1 before 1.0.4.3, GS716TP before 1.0.2.3, GS716TPP before 1.0.2.3, GS724TPPv1 before 2.0.4.3, GS724TPv2 before 2.0.4.3, GS728TPPv2 before 6.0.6.3, GS728TPv2 before 6.0.6.3, GS752TPPv1 before 6.0.6.3, GS752TPv2 before 6.0.6.3, MS510TXM before 1.0.2.3, and MS510TXUP before 1.0.2.3.

CPENameOperatorVersion
netgear:gc108p_firmwarenetgear gc108p firmwarelt1.0.7.3
netgear:gc108pp_firmwarenetgear gc108pp firmwarelt1.0.7.3
netgear:gs108t_firmwarenetgear gs108t firmwarelt7.0.6.3
netgear:gs110tpp_firmwarenetgear gs110tpp firmwarelt7.0.6.3
netgear:gs110tp_firmwarenetgear gs110tp firmwarelt7.0.6.3
netgear:gs110tup_firmwarenetgear gs110tup firmwarelt1.0.4.3
netgear:gs710tup_firmwarenetgear gs710tup firmwarelt1.0.4.3
netgear:gs716tp_firmwarenetgear gs716tp firmwarelt1.0.2.3
netgear:gs716tpp_firmwarenetgear gs716tpp firmwarelt1.0.2.3
netgear:gs724tpp_firmwarenetgear gs724tpp firmwarelt2.0.4.3

CPE	Name	Operator	Version
netgear:gc108p_firmware	netgear gc108p firmware	lt	1.0.7.3
netgear:gc108pp_firmware	netgear gc108pp firmware	lt	1.0.7.3
netgear:gs108t_firmware	netgear gs108t firmware	lt	7.0.6.3
netgear:gs110tpp_firmware	netgear gs110tpp firmware	lt	7.0.6.3
netgear:gs110tp_firmware	netgear gs110tp firmware	lt	7.0.6.3
netgear:gs110tup_firmware	netgear gs110tup firmware	lt	1.0.4.3
netgear:gs710tup_firmware	netgear gs710tup firmware	lt	1.0.4.3
netgear:gs716tp_firmware	netgear gs716tp firmware	lt	1.0.2.3
netgear:gs716tpp_firmware	netgear gs716tpp firmware	lt	1.0.2.3
netgear:gs724tpp_firmware	netgear gs724tpp firmware	lt	2.0.4.3

Rows per page:

1-10 of 171

References

gynvael.coldwind.pl/?lang=en&id=733

kb.netgear.com/000063641/Security-Advisory-for-Pre-Authentication-Command-Injection-Vulnerability-on-Some-Smart-Switches-PSV-2021-0071

Social References

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.063 Low

EPSS

Percentile

93.5%

JSON

Related for CVE-2021-33514

openvas1 checkpoint_advisories1 seebug1 prion1