CVE-2021-21734

Description

Some PON MDU devices of ZTE stored sensitive information in plaintext, and users with login authority can obtain it by inputing command. This affects: ZTE PON MDU device ZXA10 F821 V1.7.0P3T22, ZXA10 F822 V1.4.3T6, ZXA10 F819 V1.2.1T5, ZXA10 F832 V1.1.1T7, ZXA10 F839 V1.1.0T8, ZXA10 F809 V3.2.1T1, ZXA10 F822P V1.1.1T7, ZXA10 F832 V2.00.00.01

Related CPE's

oztezxa10_f821_firmware1.7.0p3t22*******

vulnerable

hztezxa10_f821-*******

oztezxa10_f822_firmware1.4.3t6*******

vulnerable

hztezxa10_f822-*******

oztezxa10_f819_firmware1.2.1t5*******

vulnerable

hztezxa10_f819-*******

oztezxa10_f832_firmware1.1.1t7*******

vulnerable

hztezxa10_f832-*******

oztezxa10_f839_firmware1.1.0t8*******

vulnerable

hztezxa10_f839-*******

References

https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1015524

Vendor Advisory

CvssV3 impact

BaseSeverity

MEDIUM

ConfidentialityImpact

HIGH

AttackComplexity

LOW

Scope

UNCHANGED

AttackVector

NETWORK

AvailabilityImpact

NONE

IntegrityImpact

NONE

PrivilegesRequired

LOW

BaseScore

6.5

VectorString

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Version

3.1

UserInteraction

NONE

CvssV2 impact

AccessComplexity

LOW

ConfidentialityImpact

PARTIAL

AvailabilityImpact

NONE

IntegrityImpact

NONE

BaseScore

4

VectorString

AV:N/AC:L/Au:S/C:P/I:N/A:N

Version

2.0

AccessVector

NETWORK

Authentication

SINGLE

Created by Yello
About Severity.io