cvelistv5 - cve-2021-20648

cve-2021-20648

Vulnerability from cvelistv5

Published

2021-02-12 06:15

Modified

2024-08-03 17:45

Severity ?

Summary

ELECOM WRC-300FEBK-S allows an attacker with administrator rights to execute arbitrary OS commands via unspecified vectors.

References

URL	Tags
vultures@jpcert.or.jp	https://jvn.jp/en/jp/JVN47580234/index.html	Third Party Advisory
vultures@jpcert.or.jp	https://www.elecom.co.jp/news/security/20210126-01/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://jvn.jp/en/jp/JVN47580234/index.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.elecom.co.jp/news/security/20210126-01/	Vendor Advisory

Impacted products

Vendor

Product

Version

▼

ELECOM CO.,LTD.

WRC-300FEBK-S

Version: WRC-300FEBK-S

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:45:44.997Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.elecom.co.jp/news/security/20210126-01/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/jp/JVN47580234/index.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "WRC-300FEBK-S",
          "vendor": "ELECOM CO.,LTD.",
          "versions": [
            {
              "status": "affected",
              "version": "WRC-300FEBK-S"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ELECOM WRC-300FEBK-S allows an attacker with administrator rights to execute arbitrary OS commands via unspecified vectors."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "OS Command Injection",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-02-12T06:15:50",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.elecom.co.jp/news/security/20210126-01/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jvn.jp/en/jp/JVN47580234/index.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2021-20648",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "WRC-300FEBK-S",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "WRC-300FEBK-S"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ELECOM CO.,LTD."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "ELECOM WRC-300FEBK-S allows an attacker with administrator rights to execute arbitrary OS commands via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "OS Command Injection"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.elecom.co.jp/news/security/20210126-01/",
              "refsource": "MISC",
              "url": "https://www.elecom.co.jp/news/security/20210126-01/"
            },
            {
              "name": "https://jvn.jp/en/jp/JVN47580234/index.html",
              "refsource": "MISC",
              "url": "https://jvn.jp/en/jp/JVN47580234/index.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2021-20648",
    "datePublished": "2021-02-12T06:15:50",
    "dateReserved": "2020-12-17T00:00:00",
    "dateUpdated": "2024-08-03T17:45:44.997Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-20648\",\"sourceIdentifier\":\"vultures@jpcert.or.jp\",\"published\":\"2021-02-12T07:15:15.327\",\"lastModified\":\"2024-11-21T05:46:56.493\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ELECOM WRC-300FEBK-S allows an attacker with administrator rights to execute arbitrary OS commands via unspecified vectors.\"},{\"lang\":\"es\",\"value\":\"ELECOM WRC-300FEBK-S, permite a un atacante con derechos de administrador ejecutar comandos arbitrarios del sistema operativo por medio de vectores no especificados\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:A/AC:L/Au:S/C:C/I:C/A:C\",\"baseScore\":7.7,\"accessVector\":\"ADJACENT_NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":5.1,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:elecom:wrc-300febk-s_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BBD41BED-6FB3-4F62-BFCC-C73927375E9E\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:elecom:wrc-300febk-s:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"77EFC8AE-44A0-4ED5-AC46-13CA56313EEB\"}]}]}],\"references\":[{\"url\":\"https://jvn.jp/en/jp/JVN47580234/index.html\",\"source\":\"vultures@jpcert.or.jp\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.elecom.co.jp/news/security/20210126-01/\",\"source\":\"vultures@jpcert.or.jp\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://jvn.jp/en/jp/JVN47580234/index.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.elecom.co.jp/news/security/20210126-01/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

gsd-2021-20648

Vulnerability from gsd

Modified

2023-12-13 01:23

Details

ELECOM WRC-300FEBK-S allows an attacker with administrator rights to execute arbitrary OS commands via unspecified vectors.

Aliases

CVE-2021-20648

Aliases

CVE-2021-20648

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-20648",
    "description": "ELECOM WRC-300FEBK-S allows an attacker with administrator rights to execute arbitrary OS commands via unspecified vectors.",
    "id": "GSD-2021-20648"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-20648"
      ],
      "details": "ELECOM WRC-300FEBK-S allows an attacker with administrator rights to execute arbitrary OS commands via unspecified vectors.",
      "id": "GSD-2021-20648",
      "modified": "2023-12-13T01:23:12.687320Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "vultures@jpcert.or.jp",
        "ID": "CVE-2021-20648",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "WRC-300FEBK-S",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "WRC-300FEBK-S"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "ELECOM CO.,LTD."
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "ELECOM WRC-300FEBK-S allows an attacker with administrator rights to execute arbitrary OS commands via unspecified vectors."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "OS Command Injection"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.elecom.co.jp/news/security/20210126-01/",
            "refsource": "MISC",
            "url": "https://www.elecom.co.jp/news/security/20210126-01/"
          },
          {
            "name": "https://jvn.jp/en/jp/JVN47580234/index.html",
            "refsource": "MISC",
            "url": "https://jvn.jp/en/jp/JVN47580234/index.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:elecom:wrc-300febk-s_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:elecom:wrc-300febk-s:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2021-20648"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "ELECOM WRC-300FEBK-S allows an attacker with administrator rights to execute arbitrary OS commands via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-78"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.elecom.co.jp/news/security/20210126-01/",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.elecom.co.jp/news/security/20210126-01/"
            },
            {
              "name": "https://jvn.jp/en/jp/JVN47580234/index.html",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://jvn.jp/en/jp/JVN47580234/index.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "ADJACENT_NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.7,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 5.1,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 0.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-02-15T01:29Z",
      "publishedDate": "2021-02-12T07:15Z"
    }
  }
}

ELECOM WRC-300FEBK-S allows an attacker with administrator rights to execute arbitrary OS commands via unspecified vectors. The following multiple vulnerabilities exist in multiple products provided by ELECOM CORPORATION. ・ Inadequate access restrictions (CWE-284) - CVE-2021-20643 -Script injection on the management screen (CWE-74) - CVE-2021-20644 ・ Retractable cross-site scripting (CWE-79) - CVE-2021-20645 ・ Cross-site request forgery (CWE-352) - CVE-2021-20646, CVE-2021-20647, CVE-2021-20650 ・ OS Command injection (CWE-78) - CVE-2021-20648 -Insufficient verification of server certificate (CWE-295) - CVE-2021-20649 ・ UPnP Via OS Command injection (CWE-78) - CVE-2014-8361 CVE-2021-20643 This vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : Institute of Information Security Yuasa Laboratory Nagakawa ( Ishibashi ) Australia Mr CVE-2021-20644 This vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : Sato Rei Mr CVE-2021-20645, CVE-2021-20646 These vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : Mitsui Bussan Secure Direction Co., Ltd. Tetsuyuki Ogawa Mr CVE-2021-20647, CVE-2021-20648, CVE-2021-20649 These vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : Cyber Defense Institute, Inc. Satoru Nagaoka Mr CVE-2021-20650 This vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : Hiroshi Watanabe Mr CVE-2014-8361 The following person indicates that the product is vulnerable to IPA Report to JPCERT/CC Coordinated with the developer. Reporter : Cyber Defense Institute, Inc. Satoru Nagaoka Mr., National Institute of Information and Communications Technology Makita Daisuke Mr., National Institute of Information and Communications Technology Woods Yoshiki MrThe expected impact depends on each vulnerability, but it may be affected as follows. -The management password of the product is changed by processing the request crafted by a remote third party. - CVE-2021-20643 ・ Crafted SSID Is displayed on the management screen, and any script is executed on the user's web browser. - CVE-2021-20644 -Any script is executed on the web browser of the user who is logged in to the product. - CVE-2021-20645 -When a user logged in to the management screen of the product accesses a specially crafted page, an arbitrary request is executed, and as a result, the settings of the product are changed unintentionally. telnet Daemon is started - CVE-2021-20646, CVE-2021-20647, CVE-2021-20650 ・ Any third party who can access the product OS Command is executed - CVE-2021-20648 ・ Man-in-the-middle attack (man-in-the-middle attack) The communication response has been tampered with, resulting in arbitrary in the product. OS Command is executed - CVE-2021-20649 ・ With the product UPnP Is valid, any by a third party who has access to the product OS Command is executed - CVE-2014-8361. ELECOM WRC-300FEBK-S is a wireless access device.

ELECOM WRC-300FEBK-S has an arbitrary command execution vulnerability

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202102-0489",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "wrc-300febk-s",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "elecom",
        "version": null
      },
      {
        "model": "ld-ps/u1",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "elecom",
        "version": "(cve-2021-20643)"
      },
      {
        "model": "ncc-ewf100rmwh2",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "elecom",
        "version": "(cve-2021-20650)"
      },
      {
        "model": "wrc-1467ghbk-a",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "elecom",
        "version": "(cve-2021-20644)"
      },
      {
        "model": "wrc-300febk",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "elecom",
        "version": "(cve-2014-8361)"
      },
      {
        "model": "wrc-300febk-a",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "elecom",
        "version": "(cve-2021-20645, cve-2021-20646)"
      },
      {
        "model": "wrc-300febk-s",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "elecom",
        "version": "(cve-2021-20647, cve-2021-20648, cve-2021-20649, cve-2014-8361)"
      },
      {
        "model": "wrc-f300nf",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "elecom",
        "version": "(cve-2014-8361)"
      },
      {
        "model": "wrc-300febk-s",
        "scope": null,
        "trust": 0.6,
        "vendor": "elecom",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-14145"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-000008"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-20648"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:elecom:wrc-300febk-s_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:elecom:wrc-300febk-s:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2021-20648"
      }
    ]
  },
  "cve": "CVE-2021-20648",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "ADJACENT_NETWORK",
            "authentication": "SINGLE",
            "author": "NVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.7,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 5.1,
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Adjacent Network",
            "authentication": "None",
            "author": "IPA",
            "availabilityImpact": "Partial",
            "baseScore": 5.8,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "JVNDB-2021-000008",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "IPA",
            "availabilityImpact": "None",
            "baseScore": 5.0,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "JVNDB-2021-000008",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Adjacent Network",
            "authentication": "None",
            "author": "IPA",
            "availabilityImpact": "None",
            "baseScore": 3.3,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "JVNDB-2021-000008",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Low",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Network",
            "authentication": "Single",
            "author": "IPA",
            "availabilityImpact": "None",
            "baseScore": 3.5,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "JVNDB-2021-000008",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Low",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "High",
            "accessVector": "Network",
            "authentication": "None",
            "author": "IPA",
            "availabilityImpact": "None",
            "baseScore": 2.6,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "JVNDB-2021-000008",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Low",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Adjacent Network",
            "authentication": "Single",
            "author": "IPA",
            "availabilityImpact": "Partial",
            "baseScore": 5.2,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "JVNDB-2021-000008",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "High",
            "accessVector": "Network",
            "authentication": "None",
            "author": "IPA",
            "availabilityImpact": "None",
            "baseScore": 4.0,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "JVNDB-2021-000008",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "ADJACENT_NETWORK",
            "authentication": "SINGLE",
            "author": "CNVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.7,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 5.1,
            "id": "CNVD-2021-14145",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 0.9,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Adjacent Network",
            "author": "IPA",
            "availabilityImpact": "High",
            "baseScore": 8.8,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "JVNDB-2021-000008",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "IPA",
            "availabilityImpact": "None",
            "baseScore": 5.3,
            "baseSeverity": "Medium",
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "JVNDB-2021-000008",
            "impactScore": null,
            "integrityImpact": "Low",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Adjacent Network",
            "author": "IPA",
            "availabilityImpact": "None",
            "baseScore": 5.2,
            "baseSeverity": "Medium",
            "confidentialityImpact": "Low",
            "exploitabilityScore": null,
            "id": "JVNDB-2021-000008",
            "impactScore": null,
            "integrityImpact": "Low",
            "privilegesRequired": "None",
            "scope": "Changed",
            "trust": 0.8,
            "userInteraction": "Required",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "IPA",
            "availabilityImpact": "None",
            "baseScore": 5.4,
            "baseSeverity": "Medium",
            "confidentialityImpact": "Low",
            "exploitabilityScore": null,
            "id": "JVNDB-2021-000008",
            "impactScore": null,
            "integrityImpact": "Low",
            "privilegesRequired": "Low",
            "scope": "Changed",
            "trust": 0.8,
            "userInteraction": "Required",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "IPA",
            "availabilityImpact": "None",
            "baseScore": 4.3,
            "baseSeverity": "Medium",
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "JVNDB-2021-000008",
            "impactScore": null,
            "integrityImpact": "Low",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "Required",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Adjacent Network",
            "author": "IPA",
            "availabilityImpact": "High",
            "baseScore": 6.8,
            "baseSeverity": "Medium",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "JVNDB-2021-000008",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "High",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "High",
            "attackVector": "Network",
            "author": "IPA",
            "availabilityImpact": "None",
            "baseScore": 4.8,
            "baseSeverity": "Medium",
            "confidentialityImpact": "Low",
            "exploitabilityScore": null,
            "id": "JVNDB-2021-000008",
            "impactScore": null,
            "integrityImpact": "Low",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "IPA",
            "id": "JVNDB-2021-000008",
            "trust": 4.8,
            "value": "Medium"
          },
          {
            "author": "NVD",
            "id": "CVE-2021-20648",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "IPA",
            "id": "JVNDB-2021-000008",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2021-14145",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202101-2396",
            "trust": 0.6,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-14145"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-000008"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-000008"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-000008"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-000008"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-000008"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-000008"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-000008"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-20648"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202101-2396"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "ELECOM WRC-300FEBK-S allows an attacker with administrator rights to execute arbitrary OS commands via unspecified vectors. The following multiple vulnerabilities exist in multiple products provided by ELECOM CORPORATION. \u30fb Inadequate access restrictions (CWE-284) - CVE-2021-20643 -Script injection on the management screen (CWE-74) - CVE-2021-20644 \u30fb Retractable cross-site scripting (CWE-79) - CVE-2021-20645 \u30fb Cross-site request forgery (CWE-352) - CVE-2021-20646, CVE-2021-20647, CVE-2021-20650 \u30fb OS Command injection (CWE-78) - CVE-2021-20648 -Insufficient verification of server certificate (CWE-295) - CVE-2021-20649 \u30fb UPnP Via OS Command injection (CWE-78) - CVE-2014-8361 CVE-2021-20643 This vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : Institute of Information Security Yuasa Laboratory Nagakawa ( Ishibashi ) Australia Mr CVE-2021-20644 This vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : Sato Rei Mr CVE-2021-20645, CVE-2021-20646 These vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : Mitsui Bussan Secure Direction Co., Ltd. Tetsuyuki Ogawa Mr CVE-2021-20647, CVE-2021-20648, CVE-2021-20649 These vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : Cyber Defense Institute, Inc. Satoru Nagaoka Mr CVE-2021-20650 This vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : Hiroshi Watanabe Mr CVE-2014-8361 The following person indicates that the product is vulnerable to IPA Report to JPCERT/CC Coordinated with the developer. Reporter : Cyber Defense Institute, Inc. Satoru Nagaoka Mr., National Institute of Information and Communications Technology Makita Daisuke Mr., National Institute of Information and Communications Technology Woods Yoshiki MrThe expected impact depends on each vulnerability, but it may be affected as follows. -The management password of the product is changed by processing the request crafted by a remote third party. - CVE-2021-20643 \u30fb Crafted SSID Is displayed on the management screen, and any script is executed on the user\u0027s web browser. - CVE-2021-20644 -Any script is executed on the web browser of the user who is logged in to the product. - CVE-2021-20645 -When a user logged in to the management screen of the product accesses a specially crafted page, an arbitrary request is executed, and as a result, the settings of the product are changed unintentionally. telnet Daemon is started - CVE-2021-20646, CVE-2021-20647, CVE-2021-20650 \u30fb Any third party who can access the product OS Command is executed - CVE-2021-20648 \u30fb Man-in-the-middle attack (man-in-the-middle attack) The communication response has been tampered with, resulting in arbitrary in the product. OS Command is executed - CVE-2021-20649 \u30fb With the product UPnP Is valid, any by a third party who has access to the product OS Command is executed - CVE-2014-8361. ELECOM WRC-300FEBK-S is a wireless access device. \n\r\n\r\nELECOM WRC-300FEBK-S has an arbitrary command execution vulnerability",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2021-20648"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-000008"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-14145"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-20648"
      }
    ],
    "trust": 2.25
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2021-20648",
        "trust": 3.1
      },
      {
        "db": "JVN",
        "id": "JVN47580234",
        "trust": 2.4
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-000008",
        "trust": 1.4
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-14145",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202101-2396",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-20648",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-14145"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-20648"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-000008"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-20648"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202101-2396"
      }
    ]
  },
  "id": "VAR-202102-0489",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-14145"
      }
    ],
    "trust": 1.299523826
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "IoT"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-14145"
      }
    ]
  },
  "last_update_date": "2023-12-18T12:16:29.599000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "\u7121\u7ddaLAN\u30eb\u30fc\u30bf\u30fc\u306a\u3069\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u88fd\u54c1\u306e\u4e00\u90e8\u306b\u304a\u3051\u308b\u8106\u5f31\u6027\u306b\u95a2\u3057\u3066",
        "trust": 0.8,
        "url": "https://www.elecom.co.jp/news/security/20210126-01/"
      },
      {
        "title": "Patch for ELECOM WRC-300FEBK-S arbitrary command execution vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/250601"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-14145"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-000008"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-78",
        "trust": 1.8
      },
      {
        "problemtype": "CWE-Other",
        "trust": 0.8
      },
      {
        "problemtype": "CWE-79",
        "trust": 0.8
      },
      {
        "problemtype": "CWE-352",
        "trust": 0.8
      },
      {
        "problemtype": "CWE-264",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-000008"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-20648"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.2,
        "url": "https://www.elecom.co.jp/news/security/20210126-01/"
      },
      {
        "trust": 1.6,
        "url": "https://jvn.jp/en/jp/jvn47580234/index.html"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-20649"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-20650"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-20643"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8361"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-20644"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-20645"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-20646"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-20647"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-20648"
      },
      {
        "trust": 0.8,
        "url": "https://jvn.jp/jp/jvn47580234/index.html"
      },
      {
        "trust": 0.6,
        "url": "https://jvndb.jvn.jp/en/contents/2021/jvndb-2021-000008.html"
      },
      {
        "trust": 0.6,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20648"
      },
      {
        "trust": 0.1,
        "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/195666"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-14145"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-20648"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-000008"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-20648"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202101-2396"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-14145"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-20648"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-000008"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-20648"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202101-2396"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-03-03T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2021-14145"
      },
      {
        "date": "2021-02-12T00:00:00",
        "db": "VULMON",
        "id": "CVE-2021-20648"
      },
      {
        "date": "2021-01-26T03:12:23",
        "db": "JVNDB",
        "id": "JVNDB-2021-000008"
      },
      {
        "date": "2021-02-12T07:15:15.327000",
        "db": "NVD",
        "id": "CVE-2021-20648"
      },
      {
        "date": "2021-01-26T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202101-2396"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-03-03T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2021-14145"
      },
      {
        "date": "2021-02-15T00:00:00",
        "db": "VULMON",
        "id": "CVE-2021-20648"
      },
      {
        "date": "2021-01-26T03:12:23",
        "db": "JVNDB",
        "id": "JVNDB-2021-000008"
      },
      {
        "date": "2021-02-15T01:29:13.357000",
        "db": "NVD",
        "id": "CVE-2021-20648"
      },
      {
        "date": "2021-02-19T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202101-2396"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote or local",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202101-2396"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Multiple vulnerabilities in multiple ELECOM products",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-000008"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "operating system commend injection",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202101-2396"
      }
    ],
    "trust": 0.6
  }
}

ghsa-p953-88vf-5gfv

Vulnerability from github

Published

2022-05-24 17:42

Modified

2022-05-24 17:42

Details

ELECOM WRC-300FEBK-S allows an attacker with administrator rights to execute arbitrary OS commands via unspecified vectors.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-20648"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-12T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "ELECOM WRC-300FEBK-S allows an attacker with administrator rights to execute arbitrary OS commands via unspecified vectors.",
  "id": "GHSA-p953-88vf-5gfv",
  "modified": "2022-05-24T17:42:05Z",
  "published": "2022-05-24T17:42:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20648"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN47580234/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.elecom.co.jp/news/security/20210126-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

cve-2021-20648

Vulnerability from jvndb

Published

2021-01-26 16:33

Modified

2021-01-26 16:33

Severity ?

8.8 (High) - cvssV3_0 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Multiple vulnerabilities in multiple ELECOM products

Details

Multiple products provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. *Improper Access Control (CWE-284) - CVE-2021-20643 *Script injection in web setup page (CWE-74) - CVE-2021-20644 *Stored cross-site scripting (CWE-79) - CVE-2021-20645 *Cross-site request forgery (CWE-352) - CVE-2021-20646, CVE-2021-20647, CVE-2021-20650 *OS command injection (CWE-78) - CVE-2021-20648 *Improper server certificate verification (CWE-295) - CVE-2021-20649 *OS command injection via UPnP (CWE-78) - CVE-2014-8361 CVE-2021-20643 NAGAKAWA(ISHIBASHI), Tsuyoshi of INSTITUTE of INFORMATION SECURITY Yuasa Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2021-20644 Ryo Sato reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2021-20645, CVE-2021-20646 Satoshi Ogawa of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2021-20647, CVE-2021-20648, CVE-2021-20649 Satoru Nagaoka of Cyber Defense Institute, Inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2021-20650 Yutaka WATANABE reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Satoru Nagaoka of Cyber Defense Institute, Inc. and Daisuke Makita and Yoshiki Mori of National Institude of Information and Communications Technology reported that CVE-2014-8361 vulnerability still exists in ELECOM product to IPA. JPCERT/CC coordinated with the developer.

References

▼	Type	URL
	JVN	https://jvn.jp/en/jp/JVN47580234/index.html
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20643
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20644
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20645
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20646
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20647
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20648
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20649
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20650
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8361
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2014-8361
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-20643
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-20644
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-20645
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-20646
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-20647
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-20648
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-20649
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-20650
	Permissions(CWE-264)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
	Cross-Site Request Forgery(CWE-352)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
	OS Command Injection(CWE-78)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
	Cross-site Scripting(CWE-79)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
	No Mapping(CWE-Other)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

▼	Vendor	Product
	ELECOM CO.,LTD.	LD-PS/U1
	ELECOM CO.,LTD.	NCC-EWF100RMWH2
	ELECOM CO.,LTD.	WRC-1467GHBK-A
	ELECOM CO.,LTD.	WRC-300FEBK-A
	ELECOM CO.,LTD.	WRC-300FEBK-S
	ELECOM CO.,LTD.	WRC-300FEBK firmware
	ELECOM CO.,LTD.	WRC-F300NF firmware

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000008.html",
  "dc:date": "2021-01-26T16:33+09:00",
  "dcterms:issued": "2021-01-26T16:33+09:00",
  "dcterms:modified": "2021-01-26T16:33+09:00",
  "description": "Multiple products provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.\r\n*Improper Access Control (CWE-284) - CVE-2021-20643\r\n*Script injection in web setup page (CWE-74) - CVE-2021-20644\r\n*Stored cross-site scripting (CWE-79) - CVE-2021-20645\r\n*Cross-site request forgery (CWE-352) - CVE-2021-20646, CVE-2021-20647, CVE-2021-20650\r\n*OS command injection (CWE-78) - CVE-2021-20648\r\n*Improper server certificate verification (CWE-295) - CVE-2021-20649\r\n*OS command injection via UPnP (CWE-78) - CVE-2014-8361\r\n\r\nCVE-2021-20643\r\nNAGAKAWA(ISHIBASHI), Tsuyoshi of INSTITUTE of INFORMATION SECURITY Yuasa Lab. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2021-20644\r\nRyo Sato reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2021-20645, CVE-2021-20646\r\nSatoshi Ogawa of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2021-20647, CVE-2021-20648, CVE-2021-20649\r\nSatoru Nagaoka of Cyber Defense Institute, Inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2021-20650\r\nYutaka WATANABE reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nSatoru Nagaoka of Cyber Defense Institute, Inc. and Daisuke Makita and Yoshiki Mori of National Institude of Information and Communications Technology reported that CVE-2014-8361 vulnerability still exists in ELECOM product to IPA. JPCERT/CC coordinated with the developer.",
  "link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000008.html",
  "sec:cpe": [
    {
      "#text": "cpe:/o:elecom:ld-ps%2fu1_firmware",
      "@product": "LD-PS/U1",
      "@vendor": "ELECOM CO.,LTD.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:elecom:ncc-ewf100rmwh2_firmware",
      "@product": "NCC-EWF100RMWH2",
      "@vendor": "ELECOM CO.,LTD.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:elecom:wrc-1467ghbk-a_firmware",
      "@product": "WRC-1467GHBK-A",
      "@vendor": "ELECOM CO.,LTD.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:elecom:wrc-300febk-a_firmware",
      "@product": "WRC-300FEBK-A",
      "@vendor": "ELECOM CO.,LTD.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:elecom:wrc-300febk-s_firmware",
      "@product": "WRC-300FEBK-S",
      "@vendor": "ELECOM CO.,LTD.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:elecom:wrc-300febk_firmware",
      "@product": "WRC-300FEBK firmware",
      "@vendor": "ELECOM CO.,LTD.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:elecom:wrc-f300nf_firmware",
      "@product": "WRC-F300NF firmware",
      "@vendor": "ELECOM CO.,LTD.",
      "@version": "2.2"
    }
  ],
  "sec:cvss": [
    {
      "@score": "5.0",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
      "@version": "2.0"
    },
    {
      "@score": "8.8",
      "@severity": "High",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2021-000008",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN47580234/index.html",
      "@id": "JVN#47580234",
      "@source": "JVN"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20643",
      "@id": "CVE-2021-20643",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20644",
      "@id": "CVE-2021-20644",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20645",
      "@id": "CVE-2021-20645",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20646",
      "@id": "CVE-2021-20646",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20647",
      "@id": "CVE-2021-20647",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20648",
      "@id": "CVE-2021-20648",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20649",
      "@id": "CVE-2021-20649",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20650",
      "@id": "CVE-2021-20650",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8361",
      "@id": "CVE-2014-8361",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2014-8361",
      "@id": "CVE-2014-8361",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20643",
      "@id": "CVE-2021-20643",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20644",
      "@id": "CVE-2021-20644",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20645",
      "@id": "CVE-2021-20645",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20646",
      "@id": "CVE-2021-20646",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20647",
      "@id": "CVE-2021-20647",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20648",
      "@id": "CVE-2021-20648",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20649",
      "@id": "CVE-2021-20649",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20650",
      "@id": "CVE-2021-20650",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-264",
      "@title": "Permissions(CWE-264)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-352",
      "@title": "Cross-Site Request Forgery(CWE-352)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-78",
      "@title": "OS Command Injection(CWE-78)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-79",
      "@title": "Cross-site Scripting(CWE-79)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-Other",
      "@title": "No Mapping(CWE-Other)"
    }
  ],
  "title": "Multiple vulnerabilities in multiple ELECOM products"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2021-20648

Vulnerability from cvelistv5

gsd-2021-20648

Vulnerability from gsd

var-202102-0489

Vulnerability from variot

ghsa-p953-88vf-5gfv

Vulnerability from github

cve-2021-20648

Vulnerability from jvndb

Tags

Sightings

Nomenclature