CVE-2021-20049Observable Response Discrepancy in SMA 100 Firmware

CWE-204Observable Response DiscrepancyCWE-203Observable DiscrepancyCWE-200Sensitive Information Exposure3 documents3 sources
Severity
7.5HIGHNVD
EPSS
0.3%
top 43.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Sonicwall SMA 100 FirmwareSonicwall SMA 200 FirmwareSonicwall SMA 210 Firmware+4 more
Timeline
PublishedDec 23
Latest updateDec 24

Description

A vulnerability in SonicWall SMA100 password change API allows a remote unauthenticated attacker to perform SMA100 username enumeration based on the server responses. This vulnerability impacts 10.2.1.2-24sv, 10.2.0.8-37sv and earlier 10.x versions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

NVDsonicwall/sma_100_firmware< 10.0.0.0+2
CVEListV5sonicwall/sonicwall_sma10010.2.0.8-37sv and earlier, 10.2.1.2-24sv and earlier+1
NVDsonicwall/sma_200_firmware< 10.0.0.0+2
NVDsonicwall/sma_210_firmware< 10.0.0.0+2
NVDsonicwall/sma_400_firmware< 10.0.0.0+2

🔴Vulnerability Details

2
GHSA
GHSA-8j6m-2r2j-2f2x: A vulnerability in SonicWall SMA100 password change API allows a remote unauthenticated attacker to perform SMA100 username enumeration based on the s2021-12-24
CVEList
CVE-2021-20049: A vulnerability in SonicWall SMA100 password change API allows a remote unauthenticated attacker to perform SMA100 username enumeration based on the s2021-12-23
CVE-2021-20049 — Observable Response Discrepancy | cvebase