CVE-2021-41503

DCS-5000L v1.05 and DCS-932L v2.17 and older are affecged by Incorrect Acess Control. The use of the basic authentication for the devices command interface allows attack vectors that may compromise the cameras configuration and allow malicious users on the LAN to access the device. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

CVSS v3 8.0 HIGH
CVSS v2.0 5.2 MEDIUM

8.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

5.2^/10

CVSS v2.0 : MEDIUM

Vector : AV:A/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 5.1 / Impact : 6.4

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10247	Vendor Advisory
https://www.dlink.com/en/security-bulletin/	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:dlink:dcs-932l_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dcs-932l:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:d-link:dcs-5000l_firmware:1.05:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dcs-5000l:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-09-24 20:15

Updated : 2024-07-19 18:15

NVD link : CVE-2021-41503

Mitre link : CVE-2021-41503

CVE.ORG link : CVE-2021-41503

JSON object : View

Products Affected

dlink

dcs-932l_firmware
dcs-5000l
dcs-932l

d-link

dcs-5000l_firmware

CWE

CWE-287

Improper Authentication

{"id": "CVE-2021-41503", "cveTags": [{"tags": ["unsupported-when-assigned"], "sourceIdentifier": "cve@mitre.org"}], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.2, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 5.1, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.1}]}, "published": "2021-09-24T20:15:07.373", "references": [{"url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10247", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.dlink.com/en/security-bulletin/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "DCS-5000L v1.05 and DCS-932L v2.17 and older are affecged by Incorrect Acess Control. The use of the basic authentication for the devices command interface allows attack vectors that may compromise the cameras configuration and allow malicious users on the LAN to access the device. NOTE: This vulnerability only affects products that are no longer supported by the maintainer"}, {"lang": "es", "value": "** NO SOPORTADO CUANDO SE ASIGN\u00d3 ** DCS-5000L versi\u00f3n v1.05 y DCS-932L versi\u00f3n v2.17 y anteriores, est\u00e1n afectados por un Control de Acceso Incorrecto. El uso de la autenticaci\u00f3n b\u00e1sica para la interfaz de comandos de los dispositivos permite vectores de ataque que pueden comprometer la configuraci\u00f3n de las c\u00e1maras y permitir que usuarios maliciosos en la LAN accedan al dispositivo. NOTA: Esta vulnerabilidad s\u00f3lo afecta a los productos que ya no son soportados por el mantenedor."}], "lastModified": "2024-07-19T18:15:04.580", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:dlink:dcs-932l_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6CC03FDD-D493-40AE-8237-49B5CCD8B2A7", "versionEndIncluding": "2.17"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:dlink:dcs-932l:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "34775D9A-F16B-43C5-A8F4-88C0F9760364"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:d-link:dcs-5000l_firmware:1.05:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "767926E3-53F8-4787-AD05-0FE62E33200E"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:dlink:dcs-5000l:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "397F0BCA-7A8B-43A1-939D-27127384228D"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}