This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR XR1000 1.0.0.52_1.0.38 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of SOAP messages. The issue results from a lack of authentication required for a privileged request. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-13325.
References
| Link | Resource |
|---|---|
| https://kb.netgear.com/000063967/Security-Advisory-for-a-Security-Misconfiguration-Vulnerability-on-the-XR1000-PSV-2021-0101 | Patch Vendor Advisory |
| https://www.zerodayinitiative.com/advisories/ZDI-21-1058/ | Third Party Advisory VDB Entry |
| https://kb.netgear.com/000063967/Security-Advisory-for-a-Security-Misconfiguration-Vulnerability-on-the-XR1000-PSV-2021-0101 | Patch Vendor Advisory |
| https://www.zerodayinitiative.com/advisories/ZDI-21-1058/ | Third Party Advisory VDB Entry |
Configurations
Configuration 1 (hide)
| AND |
|
History
21 Nov 2024, 06:11
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://kb.netgear.com/000063967/Security-Advisory-for-a-Security-Misconfiguration-Vulnerability-on-the-XR1000-PSV-2021-0101 - Patch, Vendor Advisory | |
| References | () https://www.zerodayinitiative.com/advisories/ZDI-21-1058/ - Third Party Advisory, VDB Entry |
Information
Published : 2022-01-25 16:15
Updated : 2024-11-21 06:11
NVD link : CVE-2021-34870
Mitre link : CVE-2021-34870
CVE.ORG link : CVE-2021-34870
JSON object : View
Products Affected
netgear
- xr1000
CWE
CWE-306
Missing Authentication for Critical Function