CVE-2021-33963 - OpenCVE

China Mobile An Lianbao WF-1 v1.0.1 router web interface through /api/ZRMacClone/mac_addr_clone receives parameters by POST request, and the parameter macType has a command injection vulnerability. An attacker can use the vulnerability to execute remote commands.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Chinamobile	An Lianbao Wf-1 An Lianbao Wf-1 Firmware

Configuration 1 [-]

AND

cpe:2.3:h:chinamobile:an_lianbao_wf-1:-:*:*:*:*:*:*:*

cpe:2.3:o:chinamobile:an_lianbao_wf-1_firmware:1.0.1:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://iot.10086.cn/?l=en-us
https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/China%20Mobile%20An%20Lianbao%20WF-1%20router%20Command%20Injection9.md
https://www.cnvd.org.cn/flaw/show/CNVD-2021-03520
https://www.ebuy7.com/item/china-mobile-wireless-router-qualcomm-qiki-wifi6-routing-mesh-network-home-5g-dual-frequency-double-gigabit-port-wall-wall-high-speed-%E2%80%8B%E2%80%8Bhigh-power-enhanced-dormitory-students-an-lianbao-wf-1-628692180620

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-01-15T09:16:29

Updated: 2024-08-04T00:05:52.317Z

Reserved: 2021-06-07T00:00:00

Link: CVE-2021-33963

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-01-15T10:15:07.747

Modified: 2023-02-24T14:07:29.883

Link: CVE-2021-33963

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "China Mobile An Lianbao WF-1 v1.0.1 router web interface through /api/ZRMacClone/mac_addr_clone receives parameters by POST request, and the parameter macType has a command injection vulnerability. An attacker can use the vulnerability to execute remote commands."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-01-15T09:16:28", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.ebuy7.com/item/china-mobile-wireless-router-qualcomm-qiki-wifi6-routing-mesh-network-home-5g-dual-frequency-double-gigabit-port-wall-wall-high-speed-%E2%80%8B%E2%80%8Bhigh-power-enhanced-dormitory-students-an-lianbao-wf-1-628692180620"}, {"tags": ["x_refsource_MISC"], "url": "http://iot.10086.cn/?l=en-us"}, {"tags": ["x_refsource_MISC"], "url": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-03520"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/China%20Mobile%20An%20Lianbao%20WF-1%20router%20Command%20Injection9.md"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-33963", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "China Mobile An Lianbao WF-1 v1.0.1 router web interface through /api/ZRMacClone/mac_addr_clone receives parameters by POST request, and the parameter macType has a command injection vulnerability. An attacker can use the vulnerability to execute remote commands."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.ebuy7.com/item/china-mobile-wireless-router-qualcomm-qiki-wifi6-routing-mesh-network-home-5g-dual-frequency-double-gigabit-port-wall-wall-high-speed-%E2%80%8B%E2%80%8Bhigh-power-enhanced-dormitory-students-an-lianbao-wf-1-628692180620", "refsource": "MISC", "url": "https://www.ebuy7.com/item/china-mobile-wireless-router-qualcomm-qiki-wifi6-routing-mesh-network-home-5g-dual-frequency-double-gigabit-port-wall-wall-high-speed-%E2%80%8B%E2%80%8Bhigh-power-enhanced-dormitory-students-an-lianbao-wf-1-628692180620"}, {"name": "http://iot.10086.cn/?l=en-us", "refsource": "MISC", "url": "http://iot.10086.cn/?l=en-us"}, {"name": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-03520", "refsource": "MISC", "url": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-03520"}, {"name": "https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/China%20Mobile%20An%20Lianbao%20WF-1%20router%20Command%20Injection9.md", "refsource": "MISC", "url": "https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/China%20Mobile%20An%20Lianbao%20WF-1%20router%20Command%20Injection9.md"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T00:05:52.317Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.ebuy7.com/item/china-mobile-wireless-router-qualcomm-qiki-wifi6-routing-mesh-network-home-5g-dual-frequency-double-gigabit-port-wall-wall-high-speed-%E2%80%8B%E2%80%8Bhigh-power-enhanced-dormitory-students-an-lianbao-wf-1-628692180620"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://iot.10086.cn/?l=en-us"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-03520"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/China%20Mobile%20An%20Lianbao%20WF-1%20router%20Command%20Injection9.md"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-33963", "datePublished": "2022-01-15T09:16:29", "dateReserved": "2021-06-07T00:00:00", "dateUpdated": "2024-08-04T00:05:52.317Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:chinamobile:an_lianbao_wf-1:-:*:*:*:*:*:*:*", "matchCriteriaId": "81224F70-2658-4E2E-9CC8-63F2D4B3CB52", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:chinamobile:an_lianbao_wf-1_firmware:1.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "8D12A7F9-493E-4406-9F5C-03853419A3D6", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "China Mobile An Lianbao WF-1 v1.0.1 router web interface through /api/ZRMacClone/mac_addr_clone receives parameters by POST request, and the parameter macType has a command injection vulnerability. An attacker can use the vulnerability to execute remote commands."}, {"lang": "es", "value": "China Mobile La interfaz web del router Lianbao WF-1 versi\u00f3n v1.0.1, mediante /api/ZRMacClone/mac_addr_clone recibe par\u00e1metros por petici\u00f3n POST, y el par\u00e1metro macType presenta una vulnerabilidad de inyecci\u00f3n de comandos. Un atacante puede usar la vulnerabilidad para ejecutar comandos remotos"}], "id": "CVE-2021-33963", "lastModified": "2023-02-24T14:07:29.883", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-15T10:15:07.747", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "http://iot.10086.cn/?l=en-us"}, {"source": "cve@mitre.org", "tags": ["Broken Link", "Third Party Advisory"], "url": "https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/China%20Mobile%20An%20Lianbao%20WF-1%20router%20Command%20Injection9.md"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-03520"}, {"source": "cve@mitre.org", "tags": ["Broken Link", "Third Party Advisory"], "url": "https://www.ebuy7.com/item/china-mobile-wireless-router-qualcomm-qiki-wifi6-routing-mesh-network-home-5g-dual-frequency-double-gigabit-port-wall-wall-high-speed-%E2%80%8B%E2%80%8Bhigh-power-enhanced-dormitory-students-an-lianbao-wf-1-628692180620"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}]}