CVE-2021-20129
published 2021-10-13CVE-2021-20129: An information disclosure vulnerability exists in Draytek VigorConnect 1.6.0-B3, allowing an unauthenticated attacker to export system logs.
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.64%
73.5th percentile
An information disclosure vulnerability exists in Draytek VigorConnect 1.6.0-B3, allowing an unauthenticated attacker to export system logs.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| draytek | vigorconnect | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
cisa7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Draytek VigorConnect Path Traversal Vulnerability
cisa·2024-09-03·CVSS 7.5
CVE-2021-20123 [HIGH] CWE-22 Draytek VigorConnect Path Traversal Vulnerability
Vulnerability: Draytek VigorConnect Path Traversal Vulnerability
Affected: DrayTek VigorConnect
Draytek VigorConnect contains a path traversal vulnerability in the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.draytek.com/about/security-advisory/vigorconnect-software-security-vulnerability-(cve-2021-20123-cve-2021-20129); https://nvd.nist.gov/vuln/detail/CVE-2021-20123
Remediation Due Date: 2024-09-24
CISA
Draytek VigorConnect Path Traversal Vulnerability
cisa·2024-09-03·CVSS 7.5
CVE-2021-20124 [HIGH] CWE-22 Draytek VigorConnect Path Traversal Vulnerability
Vulnerability: Draytek VigorConnect Path Traversal Vulnerability
Affected: DrayTek VigorConnect
Draytek VigorConnect contains a path traversal vulnerability in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.draytek.com/about/security-advisory/vigorconnect-software-security-vulnerability-(cve-2021-20123-cve-2021-20129); https://nvd.nist.gov/vuln/detail/CVE-2021-20124
Remediation Due Date: 2024-09-24
GHSA
GHSA-4h9v-pf3c-8hjw: An information disclosure vulnerability exists in Draytek VigorConnect 1
ghsa_unreviewed·2022-05-24
CVE-2021-20129 [HIGH] CWE-532 GHSA-4h9v-pf3c-8hjw: An information disclosure vulnerability exists in Draytek VigorConnect 1
An information disclosure vulnerability exists in Draytek VigorConnect 1.6.0-B3, allowing an unauthenticated attacker to export system logs.
No detection rules found.
No public exploits indexed.
2021-10-13
Published