CVE-2021-34983 : NETGEAR Multiple Routers httpd Missing Authentication for Critical Function Info

NETGEAR Multiple Routers httpd Missing Authentication for Critical Function Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of multiple NETGEAR routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of authentication prior to allowing access to system configuration information. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-13708.

Published 2024-05-07 23:15:14

Updated 2024-08-04 01:35:06

Source Zero Day Initiative

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2021-34983

Please log in to view affected product information.

Exploit prediction scoring system (EPSS) score for CVE-2021-34983

EPSS FAQ

0.04%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 10 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-34983

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.5	MEDIUM	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	2.8	3.6	Zero Day Initiative	2024-05-08
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2021-34983

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Assigned by: zdi-disclosures@trendmicro.com (Secondary)

References for CVE-2021-34983

https://kb.netgear.com/000064313/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Some-Extenders-Routers-and-DSL-Modem-Routers-PSV-2021-0159

Security Advisory for Pre-Authentication Buffer Overflow on Some Extenders, Routers, and DSL Modem Routers, PSV-2021-0159 - NETGEAR Support

CVEs referencing this url
https://www.zerodayinitiative.com/advisories/ZDI-21-1275/

ZDI-21-1275 | Zero Day Initiative

Jump to

Vulnerability Details : CVE-2021-34983

Products affected by CVE-2021-34983

Exploit prediction scoring system (EPSS) score for CVE-2021-34983

CVSS scores for CVE-2021-34983

CWE ids for CVE-2021-34983

References for CVE-2021-34983