CVE-2021-21745 - Vulnerability Details - OpenCVE

ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal authorization operations by sending a request to the user to click.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.40585.

Key SSVC decision points have not yet been added.

Vendors	Products
Zte Subscribe	Mf971r Subscribe Mf971r Firmware Subscribe

Configuration 1 [-]

AND

cpe:2.3:o:zte:mf971r_firmware:v1.0.0b05:*:*:*:*:*:*:*

cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:zte:mf971r_firmware:1v1.0.0b06:*:*:*:*:*:*:*

cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:zte:mf971r_firmware:2v1.0.0b03:*:*:*:*:*:*:*

cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:zte:mf971r_firmware:s2v1.0.0b03:*:*:*:*:*:*:*

cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:zte:mf971r_firmware:sv1.0.0b05:*:*:*:*:*:*:*

cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1019764

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: zte

Published: 2021-10-20T15:20:50

Updated: 2024-08-03T18:23:29.386Z

Reserved: 2021-01-04T00:00:00

Link: CVE-2021-21745

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-10-20T16:15:08.203

Modified: 2024-11-21T05:48:55.583

Link: CVE-2021-21745

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-352

{"containers": {"cna": {"affected": [{"product": "MF971R", "vendor": "n/a", "versions": [{"status": "affected", "version": "BD_ZTE_MF971RV1.0.0B05, BD_PLKPLMF971R1V1.0.0B06, BD_MF971R2V1.0.0B03, BD_ZTE_MF971RS2V1.0.0B03, BD_ZTE_MF971RSV1.0.0B05"}]}], "descriptions": [{"lang": "en", "value": "ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal authorization operations by sending a request to the user to click."}], "problemTypes": [{"descriptions": [{"description": "Referer authentication bypass", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-10-20T15:20:50", "orgId": "6786b568-6808-4982-b61f-398b0d9679eb", "shortName": "zte"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1019764"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@zte.com.cn", "ID": "CVE-2021-21745", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MF971R", "version": {"version_data": [{"version_value": "BD_ZTE_MF971RV1.0.0B05, BD_PLKPLMF971R1V1.0.0B06, BD_MF971R2V1.0.0B03, BD_ZTE_MF971RS2V1.0.0B03, BD_ZTE_MF971RSV1.0.0B05"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal authorization operations by sending a request to the user to click."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Referer authentication bypass"}]}]}, "references": {"reference_data": [{"name": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1019764", "refsource": "MISC", "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1019764"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:23:29.386Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1019764"}]}]}, "cveMetadata": {"assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", "assignerShortName": "zte", "cveId": "CVE-2021-21745", "datePublished": "2021-10-20T15:20:50", "dateReserved": "2021-01-04T00:00:00", "dateUpdated": "2024-08-03T18:23:29.386Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:mf971r_firmware:v1.0.0b05:*:*:*:*:*:*:*", "matchCriteriaId": "72A4F659-C656-47D6-B38E-5BA8E73DCD30", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A7F54F4-E324-4D1E-839E-677396BAFE49", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:mf971r_firmware:1v1.0.0b06:*:*:*:*:*:*:*", "matchCriteriaId": "35FA4400-636F-48E7-AF1E-9416D9E9386F", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A7F54F4-E324-4D1E-839E-677396BAFE49", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:mf971r_firmware:2v1.0.0b03:*:*:*:*:*:*:*", "matchCriteriaId": "252BBFAA-0053-441A-8F20-A737EF573355", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A7F54F4-E324-4D1E-839E-677396BAFE49", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:mf971r_firmware:s2v1.0.0b03:*:*:*:*:*:*:*", "matchCriteriaId": "7B066F08-DDC4-4868-8FD2-620E46660B64", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A7F54F4-E324-4D1E-839E-677396BAFE49", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:mf971r_firmware:sv1.0.0b05:*:*:*:*:*:*:*", "matchCriteriaId": "AAA1BD70-DC47-4B81-A906-3FD76E593F75", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A7F54F4-E324-4D1E-839E-677396BAFE49", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal authorization operations by sending a request to the user to click."}, {"lang": "es", "value": "El producto ZTE MF971R presenta una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n Referer. Sin la verificaci\u00f3n de tipo CSRF, un atacante podr\u00eda usar esta vulnerabilidad para llevar a cabo operaciones de autorizaci\u00f3n ilegales mediante el env\u00edo de una petici\u00f3n al usuario para que haga clic"}], "id": "CVE-2021-21745", "lastModified": "2024-11-21T05:48:55.583", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-10-20T16:15:08.203", "references": [{"source": "psirt@zte.com.cn", "tags": ["Vendor Advisory"], "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1019764"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1019764"}], "sourceIdentifier": "psirt@zte.com.cn", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}