Lucene search

K
nvd[email protected]NVD:CVE-2021-20124
HistoryOct 13, 2021 - 4:15 p.m.

CVE-2021-20124

2021-10-1316:15:07
CWE-22
web.nvd.nist.gov
2
cve-2021-20124
draytek vigorconnect
file download functionality
webservlet endpoint
unauthenticated attacker
arbitrary files
root privileges

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.492

Percentile

97.6%

A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.

Affected configurations

Nvd
Node
draytekvigorconnectMatch1.6.0beta3
VendorProductVersionCPE
draytekvigorconnect1.6.0cpe:2.3:a:draytek:vigorconnect:1.6.0:beta3:*:*:*:*:*:*

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.492

Percentile

97.6%