Sign-up

ID

VAR-202104-1186


CVE

CVE-2021-27708


TITLE

Totolink X5000R OS Command Injection Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2022-13361

DESCRIPTION

Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system function with untrusted input. In the function, "command" parameter is directly passed to the attacker, allowing them to control the "command" field to attack the OS. The Totolink X5000R is a router from the Chinese company Totolink

Trust: 1.53

sources: NVD: CVE-2021-27708 // CNVD: CNVD-2022-13361 // VULMON: CVE-2021-27708

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2022-13361

AFFECTED PRODUCTS

vendor:totolinkmodel:x5000rscope:eqversion:9.1.0u.6118_b20201102

Trust: 1.0

vendor:totolinkmodel:a720rscope:eqversion:4.1.5cu.470_b20200911

Trust: 1.0

vendor:totolinkmodel:x5000r 9.1.0u.6118 b20201102scope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2022-13361 // NVD: CVE-2021-27708

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-27708
value: CRITICAL

Trust: 1.0

CNVD: CNVD-2022-13361
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202104-1066
value: CRITICAL

Trust: 0.6

VULMON: CVE-2021-27708
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2021-27708
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

CNVD: CNVD-2022-13361
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-27708
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: CNVD: CNVD-2022-13361 // VULMON: CVE-2021-27708 // CNNVD: CNNVD-202104-1066 // NVD: CVE-2021-27708

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.0

sources: NVD: CVE-2021-27708

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202104-1066

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202104-1066

EXTERNAL IDS

db:NVDid:CVE-2021-27708

Trust: 2.3

db:CNVDid:CNVD-2022-13361

Trust: 0.6

db:CNNVDid:CNNVD-202104-1066

Trust: 0.6

db:VULMONid:CVE-2021-27708

Trust: 0.1

sources: CNVD: CNVD-2022-13361 // VULMON: CVE-2021-27708 // CNNVD: CNNVD-202104-1066 // NVD: CVE-2021-27708

REFERENCES

url:https://hackmd.io/mdgibvoxspczrzizjfqghw

Trust: 2.3

url:https://hackmd.io/7ftb06f-sj-scfkmycxyxa

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-27708

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/78.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2022-13361 // VULMON: CVE-2021-27708 // CNNVD: CNNVD-202104-1066 // NVD: CVE-2021-27708

SOURCES

db:CNVDid:CNVD-2022-13361
db:VULMONid:CVE-2021-27708
db:CNNVDid:CNNVD-202104-1066
db:NVDid:CVE-2021-27708

LAST UPDATE DATE

2024-11-23T22:33:05.242000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2022-13361date:2022-02-23T00:00:00
db:VULMONid:CVE-2021-27708date:2021-04-21T00:00:00
db:CNNVDid:CNNVD-202104-1066date:2022-03-24T00:00:00
db:NVDid:CVE-2021-27708date:2024-11-21T05:58:27.993

SOURCES RELEASE DATE

db:CNVDid:CNVD-2022-13361date:2022-02-18T00:00:00
db:VULMONid:CVE-2021-27708date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202104-1066date:2021-04-14T00:00:00
db:NVDid:CVE-2021-27708date:2021-04-14T16:15:14.127