Details of VAR-202106-0822

ID

VAR-202106-0822

CVE

CVE-2021-21736

TITLE

ZXHN HS562 Inappropriate Default Permission Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-007928

DESCRIPTION

A smart camera product of ZTE is impacted by a permission and access control vulnerability. Due to the defect of user permission management by the cloud-end app, users whose sharing permissions have been revoked can still control the camera, such as restarting the camera, restoring factory settings, etc.. This affects ZXHN HS562 V1.0.0.0B2.0000, V1.0.0.0B3.0000E. ZXHN H168N Is vulnerable to incorrect default permissions.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state

Trust: 1.62

sources: NVD: CVE-2021-21736 // JVNDB: JVNDB-2021-007928

IOT TAXONOMY

category:

['camera device']

sub_category:

camera

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:	zte	model:	zxhn hs562	scope:	eq	version:	1.0.0.0b3.0000	Trust: 1.0
vendor:	zte	model:	zxhn hs562	scope:	eq	version:	1.0.0.0b2.0000	Trust: 1.0
vendor:	zte	model:	zxhn hs562	scope:	eq	version:	zxhn hs562 firmware 1.0.0.0b2.0000	Trust: 0.8
vendor:	zte	model:	zxhn hs562	scope:	eq	version:	zxhn hs562 firmware 1.0.0.0b3.0000e	Trust: 0.8
vendor:	zte	model:	zxhn hs562	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-007928 // NVD: CVE-2021-21736

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-21736
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-21736
value:	HIGH
Trust: 0.8

nvd@nist.gov:	CVE-2021-21736
severity:	HIGH
baseScore:	8.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	8.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2021-21736
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2021-21736
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2021-007928 // NVD: CVE-2021-21736

PROBLEMTYPE DATA

problemtype:	CWE-276	Trust: 1.0
problemtype:	Inappropriate default permissions (CWE-276) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-007928 // NVD: CVE-2021-21736

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202106-791

PATCH

title:	Permission And Access Control Vulnerability in A Smart Camera of ZTE	url:	https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1015964	Trust: 0.8
title:	ZTE ZXHN HS562 Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=153799	Trust: 0.6

sources: JVNDB: JVNDB-2021-007928 // CNNVD: CNNVD-202106-791

EXTERNAL IDS

db:	NVD	id:	CVE-2021-21736	Trust: 3.3
db:	ZTE	id:	1015964	Trust: 1.6
db:	JVNDB	id:	JVNDB-2021-007928	Trust: 0.8
db:	CNNVD	id:	CNNVD-202106-791	Trust: 0.6
db:	OTHER	id:	NONE	Trust: 0.1

sources: OTHER: None // JVNDB: JVNDB-2021-007928 // CNNVD: CNNVD-202106-791 // NVD: CVE-2021-21736

REFERENCES

url:	https://support.zte.com.cn/support/news/loopholeinfodetail.aspx?newsid=1015964	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-21736	Trust: 0.8
url:	https://ieeexplore.ieee.org/abstract/document/10769424	Trust: 0.1

sources: OTHER: None // JVNDB: JVNDB-2021-007928 // CNNVD: CNNVD-202106-791 // NVD: CVE-2021-21736

SOURCES

db:	OTHER	id:	-
db:	JVNDB	id:	JVNDB-2021-007928
db:	CNNVD	id:	CNNVD-202106-791
db:	NVD	id:	CVE-2021-21736

LAST UPDATE DATE

2025-01-30T20:52:11.489000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2021-007928	date:	2022-02-28T05:49:00
db:	CNNVD	id:	CNNVD-202106-791	date:	2021-06-11T00:00:00
db:	NVD	id:	CVE-2021-21736	date:	2021-06-17T19:21:36.230

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2021-007928	date:	2022-02-28T00:00:00
db:	CNNVD	id:	CNNVD-202106-791	date:	2021-06-10T00:00:00
db:	NVD	id:	CVE-2021-21736	date:	2021-06-10T12:15:08.490