CVE-2021-21743

ZTE MF971R product has a CRLF injection vulnerability. An attacker could exploit the vulnerability to modify the HTTP response header information through a specially crafted HTTP request.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1019764	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*

cpe:2.3:o:zte:mf971r_firmware:v1.0.0b05:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*

cpe:2.3:o:zte:mf971r_firmware:1v1.0.0b06:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*

cpe:2.3:o:zte:mf971r_firmware:2v1.0.0b03:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*

cpe:2.3:o:zte:mf971r_firmware:s2v1.0.0b03:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*

cpe:2.3:o:zte:mf971r_firmware:sv1.0.0b05:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-10-20 16:15

Updated : 2021-10-25 16:06

NVD link : CVE-2021-21743

Mitre link : CVE-2021-21743

CVE.ORG link : CVE-2021-21743

JSON object : View

Products Affected

zte

mf971r
mf971r_firmware

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

{"id": "CVE-2021-21743", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2021-10-20T16:15:08.103", "references": [{"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1019764", "tags": ["Vendor Advisory"], "source": "psirt@zte.com.cn"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-74"}]}], "descriptions": [{"lang": "en", "value": "ZTE MF971R product has a CRLF injection vulnerability. An attacker could exploit the vulnerability to modify the HTTP response header information through a specially crafted HTTP request."}, {"lang": "es", "value": "El producto ZTE MF971R presenta una vulnerabilidad de inyecci\u00f3n de CRLF. Un atacante podr\u00eda aprovechar esta vulnerabilidad para modificar la informaci\u00f3n del encabezado de respuesta HTTP mediante una petici\u00f3n HTTP especialmente dise\u00f1ada"}], "lastModified": "2021-10-25T16:06:55.930", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9A7F54F4-E324-4D1E-839E-677396BAFE49"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zte:mf971r_firmware:v1.0.0b05:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "72A4F659-C656-47D6-B38E-5BA8E73DCD30"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9A7F54F4-E324-4D1E-839E-677396BAFE49"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zte:mf971r_firmware:1v1.0.0b06:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "35FA4400-636F-48E7-AF1E-9416D9E9386F"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9A7F54F4-E324-4D1E-839E-677396BAFE49"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zte:mf971r_firmware:2v1.0.0b03:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "252BBFAA-0053-441A-8F20-A737EF573355"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9A7F54F4-E324-4D1E-839E-677396BAFE49"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zte:mf971r_firmware:s2v1.0.0b03:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7B066F08-DDC4-4868-8FD2-620E46660B64"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9A7F54F4-E324-4D1E-839E-677396BAFE49"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zte:mf971r_firmware:sv1.0.0b05:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AAA1BD70-DC47-4B81-A906-3FD76E593F75"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "psirt@zte.com.cn"}