CVE-2021-21736 - OpenCVE

A smart camera product of ZTE is impacted by a permission and access control vulnerability. Due to the defect of user permission management by the cloud-end app, users whose sharing permissions have been revoked can still control the camera, such as restarting the camera, restoring factory settings, etc.. This affects ZXHN HS562 V1.0.0.0B2.0000, V1.0.0.0B3.0000E

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Complete

AV:N/AC:L/Au:S/C:P/I:P/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zte	Zxhn Hs562 Zxhn Hs562 Firmware

Configuration 1 [-]

AND

OR	cpe:2.3:o:zte:zxhn_hs562_firmware:1.0.0.0b2.0000:::::::*
	cpe:2.3:o:zte:zxhn_hs562_firmware:1.0.0.0b3.0000:::::::*

cpe:2.3:h:zte:zxhn_hs562:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1015964

History

No history.

MITRE

Status: PUBLISHED

Assigner: zte

Published: 2021-06-10T11:28:57

Updated: 2024-08-03T18:23:28.899Z

Reserved: 2021-01-04T00:00:00

Link: CVE-2021-21736

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-06-10T12:15:08.490

Modified: 2021-06-17T19:21:36.230

Link: CVE-2021-21736

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "ZXHN HS562", "vendor": "n/a", "versions": [{"status": "affected", "version": "V1.0.0.0B2.0000, V1.0.0.0B3.0000"}]}], "descriptions": [{"lang": "en", "value": "A smart camera product of ZTE is impacted by a permission and access control vulnerability. Due to the defect of user permission management by the cloud-end app, users whose sharing permissions have been revoked can still control the camera, such as restarting the camera, restoring factory settings, etc.. This affects ZXHN HS562 V1.0.0.0B2.0000, V1.0.0.0B3.0000E"}], "problemTypes": [{"descriptions": [{"description": "information leak", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-06-10T11:28:57", "orgId": "6786b568-6808-4982-b61f-398b0d9679eb", "shortName": "zte"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1015964"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@zte.com.cn", "ID": "CVE-2021-21736", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ZXHN HS562", "version": {"version_data": [{"version_value": "V1.0.0.0B2.0000, V1.0.0.0B3.0000"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A smart camera product of ZTE is impacted by a permission and access control vulnerability. Due to the defect of user permission management by the cloud-end app, users whose sharing permissions have been revoked can still control the camera, such as restarting the camera, restoring factory settings, etc.. This affects ZXHN HS562 V1.0.0.0B2.0000, V1.0.0.0B3.0000E"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "information leak"}]}]}, "references": {"reference_data": [{"name": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1015964", "refsource": "MISC", "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1015964"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:23:28.899Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1015964"}]}]}, "cveMetadata": {"assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", "assignerShortName": "zte", "cveId": "CVE-2021-21736", "datePublished": "2021-06-10T11:28:57", "dateReserved": "2021-01-04T00:00:00", "dateUpdated": "2024-08-03T18:23:28.899Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:zxhn_hs562_firmware:1.0.0.0b2.0000:*:*:*:*:*:*:*", "matchCriteriaId": "24F3CB00-7212-4F3A-928B-F0278ADF6085", "vulnerable": true}, {"criteria": "cpe:2.3:o:zte:zxhn_hs562_firmware:1.0.0.0b3.0000:*:*:*:*:*:*:*", "matchCriteriaId": "9494CC2D-9E39-43C4-B21D-FFE658A9EBF0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:zxhn_hs562:-:*:*:*:*:*:*:*", "matchCriteriaId": "8FD6DC75-6AAF-44A3-95A5-C19D34C56B47", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A smart camera product of ZTE is impacted by a permission and access control vulnerability. Due to the defect of user permission management by the cloud-end app, users whose sharing permissions have been revoked can still control the camera, such as restarting the camera, restoring factory settings, etc.. This affects ZXHN HS562 V1.0.0.0B2.0000, V1.0.0.0B3.0000E"}, {"lang": "es", "value": "Un producto de c\u00e1mara inteligente de ZTE est\u00e1 afectado por una vulnerabilidad de control de permisos y acceso. Debido al defecto de la gesti\u00f3n de permisos de usuario por parte de la aplicaci\u00f3n en la nube, los usuarios cuyos permisos de compartici\u00f3n han sido revocados pueden seguir controlando la c\u00e1mara, como reiniciar la c\u00e1mara, restaurar los ajustes de f\u00e1brica, etc. Esto afecta al producto ZXHN HS562 en las versiones V1.0.0.0B2.0000, V1.0.0B3.0000E"}], "id": "CVE-2021-21736", "lastModified": "2021-06-17T19:21:36.230", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 8.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 8.5, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-10T12:15:08.490", "references": [{"source": "psirt@zte.com.cn", "tags": ["Vendor Advisory"], "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1015964"}], "sourceIdentifier": "psirt@zte.com.cn", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Primary"}]}