CVE-2021-41314

Published on: 09/16/2021 12:00:00 AM UTC

Last Modified on: 09/29/2021 09:06:00 PM UTC

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Certain versions of Gc108p from Netgear contain the following vulnerability:

Certain NETGEAR smart switches are affected by a \n injection in the web UI's password field, which - due to several faulty aspects of the authentication scheme - allows the attacker to create (or overwrite) a file with specific content (e.g., the "2" string). This leads to admin session crafting and therefore gaining full web UI admin privileges by an unauthenticated attacker. This affects GC108P before 1.0.8.2, GC108PP before 1.0.8.2, GS108Tv3 before 7.0.7.2, GS110TPP before 7.0.7.2, GS110TPv3 before 7.0.7.2, GS110TUP before 1.0.5.3, GS308T before 1.0.3.2, GS310TP before 1.0.3.2, GS710TUP before 1.0.5.3, GS716TP before 1.0.4.2, GS716TPP before 1.0.4.2, GS724TPP before 2.0.6.3, GS724TPv2 before 2.0.6.3, GS728TPPv2 before 6.0.8.2, GS728TPv2 before 6.0.8.2, GS750E before 1.0.1.10, GS752TPP before 6.0.8.2, GS752TPv2 before 6.0.8.2, MS510TXM before 1.0.4.2, and MS510TXUP before 1.0.4.2.

  • CVE-2021-41314 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 8.8 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
ADJACENT_NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH HIGH HIGH

CVSS2 Score: 8.3 - HIGH

Access
Vector
Access
Complexity
Authentication
ADJACENT_NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
COMPLETE COMPLETE COMPLETE

CVE References

Description Tags Link
Seventh Inferno vulnerability (some NETGEAR smart switches) - gynvael.coldwind//vx.log gynvael.coldwind.pl
text/html
URL Logo MISC gynvael.coldwind.pl/?id=742
Security Advisory for Multiple Vulnerabilities on Some Smart Switches, PSV-2021-0140, PSV-2021-0144, PSV-2021-0145 | Answer | NETGEAR Support kb.netgear.com
text/html
URL Logo MISC kb.netgear.com/000063978/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Smart-Switches-PSV-2021-0140-PSV-2021-0144-PSV-2021-0145

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
HardwareNetgearGc108p-AllAllAll
HardwareNetgearGc108pp-AllAllAll
Operating
System
NetgearGc108pp FirmwareAllAllAllAll
Operating
System
NetgearGc108p FirmwareAllAllAllAll
HardwareNetgearGs108tv3AllAllAll
Operating
System
NetgearGs108t FirmwareAllAllAllAll
HardwareNetgearGs110tpv3AllAllAll
HardwareNetgearGs110tpp-AllAllAll
Operating
System
NetgearGs110tpp FirmwareAllAllAllAll
Operating
System
NetgearGs110tp FirmwareAllAllAllAll
HardwareNetgearGs110tup-AllAllAll
Operating
System
NetgearGs110tup FirmwareAllAllAllAll
HardwareNetgearGs308t-AllAllAll
Operating
System
NetgearGs308t FirmwareAllAllAllAll
HardwareNetgearGs310tp-AllAllAll
Operating
System
NetgearGs310tp FirmwareAllAllAllAll
HardwareNetgearGs710tup-AllAllAll
Operating
System
NetgearGs710tup FirmwareAllAllAllAll
HardwareNetgearGs716tp-AllAllAll
HardwareNetgearGs716tpp-AllAllAll
Operating
System
NetgearGs716tpp FirmwareAllAllAllAll
Operating
System
NetgearGs716tp FirmwareAllAllAllAll
HardwareNetgearGs724tpv2AllAllAll
HardwareNetgearGs724tpp-AllAllAll
Operating
System
NetgearGs724tpp FirmwareAllAllAllAll
Operating
System
NetgearGs724tp FirmwareAllAllAllAll
HardwareNetgearGs728tpv2AllAllAll
HardwareNetgearGs728tppv2AllAllAll
Operating
System
NetgearGs728tpp FirmwareAllAllAllAll
Operating
System
NetgearGs728tp FirmwareAllAllAllAll
HardwareNetgearGs750e-AllAllAll
Operating
System
NetgearGs750e FirmwareAllAllAllAll
HardwareNetgearGs752tpv2AllAllAll
HardwareNetgearGs752tpp-AllAllAll
Operating
System
NetgearGs752tpp FirmwareAllAllAllAll
Operating
System
NetgearGs752tp FirmwareAllAllAllAll
HardwareNetgearMs510txm-AllAllAll
Operating
System
NetgearMs510txm FirmwareAllAllAllAll
HardwareNetgearMs510txup-AllAllAll
Operating
System
NetgearMs510txup FirmwareAllAllAllAll
  • cpe:2.3:h:netgear:gc108p:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:netgear:gc108pp:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:netgear:gc108pp_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:o:netgear:gc108p_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:h:netgear:gs108t:v3:*:*:*:*:*:*:*:
  • cpe:2.3:o:netgear:gs108t_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:h:netgear:gs110tp:v3:*:*:*:*:*:*:*:
  • cpe:2.3:h:netgear:gs110tpp:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:netgear:gs110tpp_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:o:netgear:gs110tp_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:h:netgear:gs110tup:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:netgear:gs110tup_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:h:netgear:gs308t:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:netgear:gs308t_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:h:netgear:gs310tp:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:netgear:gs310tp_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:h:netgear:gs710tup:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:netgear:gs710tup_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:h:netgear:gs716tp:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:netgear:gs716tpp:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:netgear:gs716tpp_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:o:netgear:gs716tp_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:h:netgear:gs724tp:v2:*:*:*:*:*:*:*:
  • cpe:2.3:h:netgear:gs724tpp:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:netgear:gs724tpp_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:o:netgear:gs724tp_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:h:netgear:gs728tp:v2:*:*:*:*:*:*:*:
  • cpe:2.3:h:netgear:gs728tpp:v2:*:*:*:*:*:*:*:
  • cpe:2.3:o:netgear:gs728tpp_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:o:netgear:gs728tp_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:h:netgear:gs750e:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:netgear:gs750e_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:h:netgear:gs752tp:v2:*:*:*:*:*:*:*:
  • cpe:2.3:h:netgear:gs752tpp:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:netgear:gs752tpp_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:o:netgear:gs752tp_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:h:netgear:ms510txm:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:netgear:ms510txm_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:h:netgear:ms510txup:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:netgear:ms510txup_firmware:*:*:*:*:*:*:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @CVEreport CVE-2021-41314 : Certain NETGEAR smart switches are affected by a \n injection in the web UI's password field, whic… twitter.com/i/web/status/1… 2021-09-16 22:12:12
Twitter Icon @cantcomputer CVE-2021-41314 This looks fun 2021-09-17 01:19:19
© CVE.report 2021 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report