CVE-2021-40150

2022-07-1723:15:08

CWE-552

mitre

web.nvd.nist.gov

cve-2021-40150

e1 zoom camera

web server

configuration disclosure

nginx

fastcgi

vulnerability

security

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.01

Percentile

83.9%

JSON

The web server of the E1 Zoom camera through 3.0.0.716 discloses its configuration via the /conf/ directory that is mapped to a publicly accessible path. In this way an attacker can download the entire NGINX/FastCGI configurations by querying the /conf/nginx.conf or /conf/fastcgi.conf URI.

Affected configurations

Nvd

Node

reolinke1_zoomMatch-

AND

reolinke1_zoom_firmwareRange≤3.0.0.716

VendorProductVersionCPE
reolinke1_zoom-cpe:2.3:h:reolink:e1_zoom:-:*:*:*:*:*:*:*
reolinke1_zoom_firmware*cpe:2.3:o:reolink:e1_zoom_firmware:*:*:*:*:*:*:*:*