Sign-up

ID

VAR-202112-2069


CVE

CVE-2021-20134


TITLE

D-Link DIR-2640 Path Traversal Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2022-08325 // CNNVD: CNNVD-202112-2788

DESCRIPTION

Quagga Services on D-Link DIR-2640 less than or equal to version 1.11B02 are affected by an absolute path traversal vulnerability that allows a remote, authenticated attacker to set an arbitrary file on the router's filesystem as the log file used by either Quagga service (zebra or ripd). Subsequent log messages will be appended to the file, prefixed by a timestamp and some logging metadata. Remote code execution can be achieved by using this vulnerability to append to a shell script on the router's filesystem, and then awaiting or triggering the execution of that script. A remote, unauthenticated root shell can easily be obtained on the device in this fashion. D-Link DIR-2640 Exists in a past traversal vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. D-Link DIR-2640 is a high-power Wi-Fi router from D-Link, a Taiwanese company. A path traversal vulnerability exists in D-Link DIR-2640 Quagga 1.11B02 and its previous versions. The vulnerability stems from the lack of effective filtering of path parameters in the software

Trust: 2.25

sources: NVD: CVE-2021-20134 // JVNDB: JVNDB-2021-017472 // CNVD: CNVD-2022-08325 // VULMON: CVE-2021-20134

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2022-08325

AFFECTED PRODUCTS

vendor:dlinkmodel:dir-2640-usscope:lteversion:1.11b02

Trust: 1.0

vendor:d linkmodel:d-link dir-2640-usscope:eqversion: -

Trust: 0.8

vendor:d linkmodel:d-link dir-2640-usscope:lteversion:d-link dir-2640-us firmware 1.11b02 and earlier

Trust: 0.8

vendor:d linkmodel:dir-2640 <=1.11b02scope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2022-08325 // JVNDB: JVNDB-2021-017472 // NVD: CVE-2021-20134

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-20134
value: HIGH

Trust: 1.0

NVD: CVE-2021-20134
value: HIGH

Trust: 0.8

CNVD: CNVD-2022-08325
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202112-2788
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2021-20134
severity: HIGH
baseScore: 7.4
vectorString: AV:A/AC:M/AU:S/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 4.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2022-08325
severity: HIGH
baseScore: 7.4
vectorString: AV:A/AC:M/AU:S/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 4.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-20134
baseSeverity: HIGH
baseScore: 8.4
vectorString: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.7
impactScore: 6.0
version: 3.1

Trust: 1.0

NVD: CVE-2021-20134
baseSeverity: HIGH
baseScore: 8.4
vectorString: CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2022-08325 // JVNDB: JVNDB-2021-017472 // CNNVD: CNNVD-202112-2788 // NVD: CVE-2021-20134

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.0

problemtype:Path traversal (CWE-22) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-017472 // NVD: CVE-2021-20134

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202112-2788

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202112-2788

PATCH

title:Top Pageurl:https://www.dlink.com/en/consumer

Trust: 0.8

title:Patch for D-Link DIR-2640 Path Traversal Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/317546

Trust: 0.6

title:D-Link DIR-2640 Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=177158

Trust: 0.6

sources: CNVD: CNVD-2022-08325 // JVNDB: JVNDB-2021-017472 // CNNVD: CNNVD-202112-2788

EXTERNAL IDS

db:NVDid:CVE-2021-20134

Trust: 3.9

db:TENABLEid:TRA-2021-44

Trust: 2.5

db:JVNDBid:JVNDB-2021-017472

Trust: 0.8

db:CNVDid:CNVD-2022-08325

Trust: 0.6

db:CNNVDid:CNNVD-202112-2788

Trust: 0.6

db:VULMONid:CVE-2021-20134

Trust: 0.1

sources: CNVD: CNVD-2022-08325 // VULMON: CVE-2021-20134 // JVNDB: JVNDB-2021-017472 // CNNVD: CNNVD-202112-2788 // NVD: CVE-2021-20134

REFERENCES

url:https://www.tenable.com/security/research/tra-2021-44

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2021-20134

Trust: 2.0

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2022-08325 // VULMON: CVE-2021-20134 // JVNDB: JVNDB-2021-017472 // CNNVD: CNNVD-202112-2788 // NVD: CVE-2021-20134

SOURCES

db:CNVDid:CNVD-2022-08325
db:VULMONid:CVE-2021-20134
db:JVNDBid:JVNDB-2021-017472
db:CNNVDid:CNNVD-202112-2788
db:NVDid:CVE-2021-20134

LAST UPDATE DATE

2024-08-14T14:25:05.183000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2022-08325date:2022-02-04T00:00:00
db:VULMONid:CVE-2021-20134date:2021-12-31T00:00:00
db:JVNDBid:JVNDB-2021-017472date:2023-01-19T05:55:00
db:CNNVDid:CNNVD-202112-2788date:2022-01-13T00:00:00
db:NVDid:CVE-2021-20134date:2022-01-12T19:52:28.633

SOURCES RELEASE DATE

db:CNVDid:CNVD-2022-08325date:2021-02-04T00:00:00
db:VULMONid:CVE-2021-20134date:2021-12-30T00:00:00
db:JVNDBid:JVNDB-2021-017472date:2023-01-19T00:00:00
db:CNNVDid:CNNVD-202112-2788date:2021-12-30T00:00:00
db:NVDid:CVE-2021-20134date:2021-12-30T22:15:08.460