CVE-2021-20134

CWE-22 — Path Traversal3 documents3 sources

Severity

8.4HIGH

EPSS

1.1%

top 22.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dlink Dir-2640-us Firmware

Timeline

PublishedDec 30

Latest updateDec 31

Description

Quagga Services on D-Link DIR-2640 less than or equal to version 1.11B02 are affected by an absolute path traversal vulnerability that allows a remote, authenticated attacker to set an arbitrary file on the router's filesystem as the log file used by either Quagga service (zebra or ripd). Subsequent log messages will be appended to the file, prefixed by a timestamp and some logging metadata. Remote code execution can be achieved by using this vulnerability to append to a shell script on the rout…

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 1.7 | Impact: 6.0

Affected Packages2 packages

▶CVEListV5quagga_services_on_d-link_dir-2640_routers1.11B02

▶NVDdlink/dir-2640-us_firmware1.11b02

🔴Vulnerability Details

GHSA

GHSA-v4h7-5mx9-q833: Quagga Services on D-Link DIR-2640 less than or equal to version 1↗2021-12-31

▶

CVEList

CVE-2021-20134: Quagga Services on D-Link DIR-2640 less than or equal to version 1↗2021-12-30

▶