CISA KEV 정보
| 취약점명 | Draytek VigorConnect Path Traversal Vulnerability |
|---|---|
| 설명 | Draytek VigorConnect contains a path traversal vulnerability in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges. |
| 조치사항 | Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. |
| 랜섬웨어 캠페인 악용 | Unknown |
| CWE | CWE-22 |
| 등록일 (KEV) | 2024-09-03 |
| 조치 기한 | 2024-09-24 |
| 추가 참고 | https://www.draytek.com/about/security-advisory/vigorconnect-software-security-vulnerability-(cve-2021-20123-cve-2021-20129); https://nvd.nist.gov/vuln/detail/CVE-2021-20124 |
NVD 상세 정보
CVSS v3.1: 7.5 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NCVSS v2.0: 7.8
AV:N/AC:L/Au:N/C:C/I:N/A:N설명: A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
CWE: CWE-22 | CWE-22
참조
- https://www.tenable.com/security/research/tra-2021-42 [Exploit, Third Party Advisory]
- https://www.tenable.com/security/research/tra-2021-42 [Exploit, Third Party Advisory]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-20124 [US Government Resource]
This product uses the NVD API but is not endorsed or certified by the NVD.