Lucene search

[email protected]NVD:CVE-2021-27221

HistoryMar 19, 2021 - 3:15 a.m.

CVE-2021-27221

2021-03-1903:15:12

[email protected]

web.nvd.nist.gov

mikrotik

routeros

ftp

user policies

arbitrary files

CVSS2

8.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:N/I:C/A:C

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS

0.002

Percentile

51.6%

JSON

MikroTik RouterOS 6.47.9 allows remote authenticated ftp users to create or overwrite arbitrary .rsc files via the /export command. NOTE: the vendor’s position is that this is intended behavior because of how user policies work

Affected configurations

Nvd

Node

mikrotikrouterosMatch6.47.9-

VendorProductVersionCPE
mikrotikrouteros6.47.9cpe:2.3:o:mikrotik:routeros:6.47.9:*:*:*:-:*:*:*

Vendor	Product	Version	CPE
mikrotik	routeros	6.47.9	cpe:2.3:o:mikrotik:routeros:6.47.9::::-:::

References

onovy.medium.com/routeros-user-with-just-ftp-policy-can-write-to-filesystem-cve-2021-27221-e3e45d780dfe

CVSS2

8.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:N/I:C/A:C

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS

0.002

Percentile

51.6%

JSON

Related for NVD:CVE-2021-27221

cvelist1 nessus1 cve1 prion1