Details of VAR-202108-0726

ID

VAR-202108-0726

CVE

CVE-2021-25447

TITLE

SmartThings Authentication vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2021-009504

DESCRIPTION

Improper access control vulnerability in SmartThings prior to version 1.7.67.25 allows untrusted applications to cause local file inclusion in webview. SmartThings Contains an authentication vulnerability.Information may be tampered with. Samsung SmartThings is an application from South Korea's Samsung that can connect to smart devices

Trust: 2.25

sources: NVD: CVE-2021-25447 // JVNDB: JVNDB-2021-009504 // CNVD: CNVD-2023-95334 // VULMON: CVE-2021-25447

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2023-95334

AFFECTED PRODUCTS

vendor:	samsung	model:	smartthings	scope:	lt	version:	1.7.67.25	Trust: 1.6
vendor:	サムスン	model:	smartthings	scope:	eq	version:	1.7.67.25	Trust: 0.8
vendor:	サムスン	model:	smartthings	scope:	eq	version:	-	Trust: 0.8

sources: CNVD: CNVD-2023-95334 // JVNDB: JVNDB-2021-009504 // NVD: CVE-2021-25447

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-25447
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-25447
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2023-95334
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202108-476
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2021-25447
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-25447
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2023-95334
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-25447
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2021-25447
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2023-95334 // VULMON: CVE-2021-25447 // JVNDB: JVNDB-2021-009504 // CNNVD: CNNVD-202108-476 // NVD: CVE-2021-25447

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-284	Trust: 1.0
problemtype:	Improper authentication (CWE-287) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-009504 // NVD: CVE-2021-25447

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-476

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202108-476

PATCH

title:	Security Updates (AUG-2021 Updates)	url:	https://security.samsungmobile.com/serviceWeb.smsb?year=2021&month=8	Trust: 0.8
title:	Patch for Samsung SmartThings Access Control Error Vulnerability (CNVD-2023-95334)	url:	https://www.cnvd.org.cn/patchInfo/show/357226	Trust: 0.6
title:	Samsung SmartThings Remediation measures for authorization problem vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=159865	Trust: 0.6

sources: CNVD: CNVD-2023-95334 // JVNDB: JVNDB-2021-009504 // CNNVD: CNNVD-202108-476

EXTERNAL IDS

db:	NVD	id:	CVE-2021-25447	Trust: 3.9
db:	JVNDB	id:	JVNDB-2021-009504	Trust: 0.8
db:	CNVD	id:	CNVD-2023-95334	Trust: 0.6
db:	CNNVD	id:	CNNVD-202108-476	Trust: 0.6
db:	VULMON	id:	CVE-2021-25447	Trust: 0.1

sources: CNVD: CNVD-2023-95334 // VULMON: CVE-2021-25447 // JVNDB: JVNDB-2021-009504 // CNNVD: CNNVD-202108-476 // NVD: CVE-2021-25447

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2021-25447	Trust: 2.0
url:	https://security.samsungmobile.com/serviceweb.smsb?year=2021&month=8	Trust: 1.7
url:	https://cwe.mitre.org/data/definitions/287.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2023-95334 // VULMON: CVE-2021-25447 // JVNDB: JVNDB-2021-009504 // CNNVD: CNNVD-202108-476 // NVD: CVE-2021-25447

SOURCES

db:	CNVD	id:	CNVD-2023-95334
db:	VULMON	id:	CVE-2021-25447
db:	JVNDB	id:	JVNDB-2021-009504
db:	CNNVD	id:	CNNVD-202108-476
db:	NVD	id:	CVE-2021-25447

LAST UPDATE DATE

2024-08-14T13:43:25.824000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2023-95334	date:	2023-12-05T00:00:00
db:	VULMON	id:	CVE-2021-25447	date:	2021-08-12T00:00:00
db:	JVNDB	id:	JVNDB-2021-009504	date:	2022-05-02T02:40:00
db:	CNNVD	id:	CNNVD-202108-476	date:	2022-09-26T00:00:00
db:	NVD	id:	CVE-2021-25447	date:	2022-09-23T19:11:37.137

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2023-95334	date:	2022-10-17T00:00:00
db:	VULMON	id:	CVE-2021-25447	date:	2021-08-05T00:00:00
db:	JVNDB	id:	JVNDB-2021-009504	date:	2022-05-02T00:00:00
db:	CNNVD	id:	CNNVD-202108-476	date:	2021-08-05T00:00:00
db:	NVD	id:	CVE-2021-25447	date:	2021-08-05T20:15:08.313