7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.975 High
EPSS
Percentile
100.0%
A path traversal vulnerability exists in numerous routers manufactured by multiple vendors using Arcadyan based software. This vulnerability allows an unauthenticated user access to sensitive information and allows for the alteration of the router configuration.
The vulnerability, identified as CVE-2021-20090, is a path traversal vulnerability. An unauthenticated attacker is able to leverage this vulnerability to access resources that would normally be protected. The researcher initially thought it was limited to one router manufacturer and published their findings, but then discovered that the issue existed in the Arcadyan based software that was being used in routers from multiple vendors.
Successful exploitation of this vulnerability could allow an attacker to access pages that would otherwise require authentication. An unauthenticated attacker could gain access to sensitive information, including valid request tokens, which could be used to make requests to alter router settings.
The CERT/CC recommends updating your router to the latest available firmware version. It is also recommended to disable the remote (WAN-side) administration services on any SoHo router and also disable the web interface on the WAN.
Thanks to the reporter Evan Grant from Tenable.
This document was written by Timur Snoke.
914124
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Notified: 2021-07-06 Updated: 2021-08-03 CVE-2021-20090 | Affected |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10
Statement Date: August 10, 2021
CVE-2021-20090 | Affected |
---|
a detailed List and Product Advisory is being created, as well as fixes.
Notified: 2021-08-10 Updated: 2021-08-10
Statement Date: August 10, 2021
CVE-2021-20090 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-12
Statement Date: August 12, 2021
CVE-2021-20090 | Not Affected |
---|
AVM does not utilize Arcadyan components.
Notified: 2021-08-10 Updated: 2021-08-10
Statement Date: August 10, 2021
CVE-2021-20090 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10
Statement Date: August 10, 2021
CVE-2021-20090 | Not Affected |
---|
No Brocade Fibre Channel Products from Broadcom products are currently known to be affected by this vulnerability.
Notified: 2021-08-10 Updated: 2021-08-11
Statement Date: August 11, 2021
CVE-2021-20090 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10
Statement Date: August 10, 2021
CVE-2021-20090 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10
Statement Date: August 10, 2021
CVE-2021-20090 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10
Statement Date: August 10, 2021
CVE-2021-20090 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10
Statement Date: August 10, 2021
CVE-2021-20090 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-10-07
Statement Date: October 07, 2021
CVE-2021-20090 | Not Affected |
---|
Juniper Networks Junos OS and Junos OS Evolved are not affected by CVE-2021-20090, CVE-2021-20091, and CVE-2021-20092.
Notified: 2021-08-10 Updated: 2021-08-16
Statement Date: August 16, 2021
CVE-2021-20090 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10
Statement Date: August 10, 2021
CVE-2021-20090 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-11
Statement Date: August 11, 2021
CVE-2021-20090 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10
Statement Date: August 10, 2021
CVE-2021-20090 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-12
Statement Date: August 12, 2021
CVE-2021-20090 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-09-06
Statement Date: September 06, 2021
CVE-2021-20090 | Not Affected |
---|
VxWorks are not affect as we do not use Arcadyan-based routers and modems
Notified: 2021-08-10 Updated: 2021-08-18
Statement Date: August 18, 2021
CVE-2021-20090 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-11
Statement Date: August 11, 2021
CVE-2021-20090 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-09-06
Statement Date: August 31, 2021
CVE-2021-20090 | Unknown |
---|
D-Link US SIRT,
After full investigation, D-Link has confirmed that no D-Link product are affected by this issue.
Regards, [email protected] William Brown D-Link US SIRT
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-07-06 Updated: 2021-07-20 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-07-06 Updated: 2021-07-20 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-07-06 Updated: 2021-07-20 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-07-06 Updated: 2021-07-20 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-07-06 Updated: 2021-07-20 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10
Statement Date: August 10, 2021
CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-07-08 Updated: 2021-07-20 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-07-06 Updated: 2021-07-20 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-07-06 Updated: 2021-07-20 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
---|
We have not received a statement from the vendor.
View all 61 vendors __View less vendors __
CVE IDs: | CVE-2021-20090 |
---|---|
Date Public: | 2021-07-20 Date First Published: |
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.975 High
EPSS
Percentile
100.0%