CVE-2021-21745 - OpenCVE

ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal authorization operations by sending a request to the user to click.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Zte	Mf971r Mf971r Firmware

Configuration 1 [-]

AND

cpe:2.3:o:zte:mf971r_firmware:v1.0.0b05:*:*:*:*:*:*:*

cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:zte:mf971r_firmware:1v1.0.0b06:*:*:*:*:*:*:*

cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:zte:mf971r_firmware:2v1.0.0b03:*:*:*:*:*:*:*

cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:zte:mf971r_firmware:s2v1.0.0b03:*:*:*:*:*:*:*

cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:zte:mf971r_firmware:sv1.0.0b05:*:*:*:*:*:*:*

cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*

References

Link	Resource
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1019764	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: zte

Published: 2021-10-20T15:20:50

Updated: 2021-10-20T15:20:50

Reserved: 2021-01-04T00:00:00

Link: CVE-2021-21745

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-10-20T16:15:08.203

Modified: 2022-06-28T14:11:45.273

Link: CVE-2021-21745

JSON object: View

Redhat Information

No data.

CWE

CWE-352

{"containers": {"cna": {"affected": [{"product": "MF971R", "vendor": "n/a", "versions": [{"status": "affected", "version": "BD_ZTE_MF971RV1.0.0B05, BD_PLKPLMF971R1V1.0.0B06, BD_MF971R2V1.0.0B03, BD_ZTE_MF971RS2V1.0.0B03, BD_ZTE_MF971RSV1.0.0B05"}]}], "descriptions": [{"lang": "en", "value": "ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal authorization operations by sending a request to the user to click."}], "problemTypes": [{"descriptions": [{"description": "Referer authentication bypass", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-10-20T15:20:50", "orgId": "6786b568-6808-4982-b61f-398b0d9679eb", "shortName": "zte"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1019764"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@zte.com.cn", "ID": "CVE-2021-21745", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MF971R", "version": {"version_data": [{"version_value": "BD_ZTE_MF971RV1.0.0B05, BD_PLKPLMF971R1V1.0.0B06, BD_MF971R2V1.0.0B03, BD_ZTE_MF971RS2V1.0.0B03, BD_ZTE_MF971RSV1.0.0B05"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal authorization operations by sending a request to the user to click."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Referer authentication bypass"}]}]}, "references": {"reference_data": [{"name": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1019764", "refsource": "MISC", "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1019764"}]}}}}, "cveMetadata": {"assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", "assignerShortName": "zte", "cveId": "CVE-2021-21745", "datePublished": "2021-10-20T15:20:50", "dateReserved": "2021-01-04T00:00:00", "dateUpdated": "2021-10-20T15:20:50", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:mf971r_firmware:v1.0.0b05:*:*:*:*:*:*:*", "matchCriteriaId": "72A4F659-C656-47D6-B38E-5BA8E73DCD30", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A7F54F4-E324-4D1E-839E-677396BAFE49", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:mf971r_firmware:1v1.0.0b06:*:*:*:*:*:*:*", "matchCriteriaId": "35FA4400-636F-48E7-AF1E-9416D9E9386F", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A7F54F4-E324-4D1E-839E-677396BAFE49", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:mf971r_firmware:2v1.0.0b03:*:*:*:*:*:*:*", "matchCriteriaId": "252BBFAA-0053-441A-8F20-A737EF573355", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A7F54F4-E324-4D1E-839E-677396BAFE49", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:mf971r_firmware:s2v1.0.0b03:*:*:*:*:*:*:*", "matchCriteriaId": "7B066F08-DDC4-4868-8FD2-620E46660B64", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A7F54F4-E324-4D1E-839E-677396BAFE49", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:mf971r_firmware:sv1.0.0b05:*:*:*:*:*:*:*", "matchCriteriaId": "AAA1BD70-DC47-4B81-A906-3FD76E593F75", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A7F54F4-E324-4D1E-839E-677396BAFE49", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal authorization operations by sending a request to the user to click."}, {"lang": "es", "value": "El producto ZTE MF971R presenta una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n Referer. Sin la verificaci\u00f3n de tipo CSRF, un atacante podr\u00eda usar esta vulnerabilidad para llevar a cabo operaciones de autorizaci\u00f3n ilegales mediante el env\u00edo de una petici\u00f3n al usuario para que haga clic"}], "id": "CVE-2021-21745", "lastModified": "2022-06-28T14:11:45.273", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-10-20T16:15:08.203", "references": [{"source": "psirt@zte.com.cn", "tags": ["Vendor Advisory"], "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1019764"}], "sourceIdentifier": "psirt@zte.com.cn", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}