Lucene search

[email protected]CVE-2021-39244

HistoryAug 23, 2021 - 5:15 a.m.

CVE-2021-39244

2021-08-2305:15:00

CWE-78

[email protected]

web.nvd.nist.gov

cve-2021-39244

authenticated

command injection

parameter injection

altus nexto

nexto xpress

hadron xtorm

getlogs.cgi

tcpdump

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.028 Low

EPSS

Percentile

90.5%

JSON

Authenticated Semi-Blind Command Injection (via Parameter Injection) exists on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices via the getlogs.cgi tcpdump feature. This affects Nexto NX3003 1.8.11.0, Nexto NX3004 1.8.11.0, Nexto NX3005 1.8.11.0, Nexto NX3010 1.8.3.0, Nexto NX3020 1.8.3.0, Nexto NX3030 1.8.3.0, Nexto NX5100 1.8.11.0, Nexto NX5101 1.8.11.0, Nexto NX5110 1.1.2.8, Nexto NX5210 1.1.2.8, Nexto Xpress XP300 1.8.11.0, Nexto Xpress XP315 1.8.11.0, Nexto Xpress XP325 1.8.11.0, Nexto Xpress XP340 1.8.11.0, and Hadron Xtorm HX3040 1.7.58.0.

CPENameOperatorVersion
altus:nexto_nx3003_firmwarealtus nexto nx3003 firmwareeq1.8.11.0
altus:nexto_nx3004_firmwarealtus nexto nx3004 firmwareeq1.8.11.0
altus:nexto_nx3005_firmwarealtus nexto nx3005 firmwareeq1.8.11.0
altus:nexto_nx3010_firmwarealtus nexto nx3010 firmwareeq1.8.3.0
altus:nexto_nx3020_firmwarealtus nexto nx3020 firmwareeq1.8.3.0
altus:nexto_nx3030_firmwarealtus nexto nx3030 firmwareeq1.8.3.0
altus:nexto_nx5100_firmwarealtus nexto nx5100 firmwareeq1.8.11.0
altus:nexto_nx5101_firmwarealtus nexto nx5101 firmwareeq1.8.11.0
altus:nexto_nx5110_firmwarealtus nexto nx5110 firmwareeq1.1.2.8
altus:nexto_nx5210_firmwarealtus nexto nx5210 firmwareeq1.1.2.8

CPE	Name	Operator	Version
altus:nexto_nx3003_firmware	altus nexto nx3003 firmware	eq	1.8.11.0
altus:nexto_nx3004_firmware	altus nexto nx3004 firmware	eq	1.8.11.0
altus:nexto_nx3005_firmware	altus nexto nx3005 firmware	eq	1.8.11.0
altus:nexto_nx3010_firmware	altus nexto nx3010 firmware	eq	1.8.3.0
altus:nexto_nx3020_firmware	altus nexto nx3020 firmware	eq	1.8.3.0
altus:nexto_nx3030_firmware	altus nexto nx3030 firmware	eq	1.8.3.0
altus:nexto_nx5100_firmware	altus nexto nx5100 firmware	eq	1.8.11.0
altus:nexto_nx5101_firmware	altus nexto nx5101 firmware	eq	1.8.11.0
altus:nexto_nx5110_firmware	altus nexto nx5110 firmware	eq	1.1.2.8
altus:nexto_nx5210_firmware	altus nexto nx5210 firmware	eq	1.1.2.8

Rows per page:

1-10 of 151

References

seclists.org/fulldisclosure/2021/Aug/21

www.altus.com.br/

Social References

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.028 Low

EPSS

Percentile

90.5%

JSON

Related for CVE-2021-39244

prion1 zdt1 packetstorm1