Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
12 vulnerabilities found for IPVPN by FatPipe
CVE-2021-27859 (GCVE-0-2021-27859)
Vulnerability from cvelistv5 – Published: 2021-12-15 16:14 – Updated: 2024-09-16 21:07
VLAI
Title
Missing authorization vulnerability in FatPipe software
Summary
A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows an authenticated, remote attacker with read-only privileges to create an account with administrative privileges. Older versions of FatPipe software may also be vulnerable. This does not appear to be a CSRF vulnerability. The FatPipe advisory identifier for this vulnerability is FPSA005.
Severity
8.8 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.zeroscience.mk/en/vulnerabilities/ZSL… | x_refsource_MISC |
| https://www.fatpipeinc.com/support/cve-list.php | x_refsource_CONFIRM |
| https://www.zeroscience.mk/codes/fatpipe_csrf.txt | x_refsource_MISC |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| FatPipe | WARP |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
|
| FatPipe | IPVPN |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
|
| FatPipe | MPVPN |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
Date Public
2021-09-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:16.357Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5681.php"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zeroscience.mk/codes/fatpipe_csrf.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WARP",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "IPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "MPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows an authenticated, remote attacker with read-only privileges to create an account with administrative privileges. Older versions of FatPipe software may also be vulnerable. This does not appear to be a CSRF vulnerability. The FatPipe advisory identifier for this vulnerability is FPSA005."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-15T16:14:50.000Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5681.php"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zeroscience.mk/codes/fatpipe_csrf.txt"
}
],
"source": {
"advisory": "FPSA005",
"discovery": "EXTERNAL"
},
"title": "Missing authorization vulnerability in FatPipe software",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2021-09-27T00:00:00.000Z",
"ID": "CVE-2021-27859",
"STATE": "PUBLIC",
"TITLE": "Missing authorization vulnerability in FatPipe software"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WARP",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
},
{
"product_name": "IPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
},
{
"product_name": "MPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
}
]
},
"vendor_name": "FatPipe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows an authenticated, remote attacker with read-only privileges to create an account with administrative privileges. Older versions of FatPipe software may also be vulnerable. This does not appear to be a CSRF vulnerability. The FatPipe advisory identifier for this vulnerability is FPSA005."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862: Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5681.php",
"refsource": "MISC",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5681.php"
},
{
"name": "https://www.fatpipeinc.com/support/cve-list.php",
"refsource": "CONFIRM",
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"name": "https://www.zeroscience.mk/codes/fatpipe_csrf.txt",
"refsource": "MISC",
"url": "https://www.zeroscience.mk/codes/fatpipe_csrf.txt"
}
]
},
"source": {
"advisory": "FPSA005",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2021-27859",
"datePublished": "2021-12-15T16:14:50.125Z",
"dateReserved": "2021-03-01T00:00:00.000Z",
"dateUpdated": "2024-09-16T21:07:27.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27858 (GCVE-0-2021-27858)
Vulnerability from cvelistv5 – Published: 2021-12-15 16:14 – Updated: 2024-09-17 01:16
VLAI
Title
Missing authorization vulnerability in FatPipe software
Summary
A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote attacker to access at least the URL "/fpui/jsp/index.jsp" leading to unknown impact, presumably some violation of confidentiality. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA004.
Severity
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.zeroscience.mk/en/vulnerabilities/ZSL… | x_refsource_MISC |
| https://www.fatpipeinc.com/support/cve-list.php | x_refsource_CONFIRM |
| https://www.zeroscience.mk/codes/fatpipe_auth.txt | x_refsource_MISC |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| FatPipe | WARP |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
|
| FatPipe | IPVPN |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
|
| FatPipe | MPVPN |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
Date Public
2021-09-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:16.298Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5682.php"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zeroscience.mk/codes/fatpipe_auth.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WARP",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "IPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "MPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote attacker to access at least the URL \"/fpui/jsp/index.jsp\" leading to unknown impact, presumably some violation of confidentiality. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA004."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-15T16:14:49.000Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5682.php"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zeroscience.mk/codes/fatpipe_auth.txt"
}
],
"source": {
"advisory": "FPSA004",
"discovery": "EXTERNAL"
},
"title": "Missing authorization vulnerability in FatPipe software",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2021-09-27T00:00:00.000Z",
"ID": "CVE-2021-27858",
"STATE": "PUBLIC",
"TITLE": "Missing authorization vulnerability in FatPipe software"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WARP",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
},
{
"product_name": "IPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
},
{
"product_name": "MPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
}
]
},
"vendor_name": "FatPipe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote attacker to access at least the URL \"/fpui/jsp/index.jsp\" leading to unknown impact, presumably some violation of confidentiality. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA004."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862: Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5682.php",
"refsource": "MISC",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5682.php"
},
{
"name": "https://www.fatpipeinc.com/support/cve-list.php",
"refsource": "CONFIRM",
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"name": "https://www.zeroscience.mk/codes/fatpipe_auth.txt",
"refsource": "MISC",
"url": "https://www.zeroscience.mk/codes/fatpipe_auth.txt"
}
]
},
"source": {
"advisory": "FPSA004",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2021-27858",
"datePublished": "2021-12-15T16:14:49.376Z",
"dateReserved": "2021-03-01T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:16:55.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27857 (GCVE-0-2021-27857)
Vulnerability from cvelistv5 – Published: 2021-12-15 16:14 – Updated: 2024-09-17 04:29
VLAI
Title
FatPipe software allows unauthenticated configuration download
Summary
A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote, unauthenticated attacker to download a configuration archive. The attacker needs to know or correctly guess the hostname of the target system since the hostname is used as part of the configuration archive file name. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA003.
Severity
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.zeroscience.mk/en/vulnerabilities/ZSL… | x_refsource_MISC |
| https://www.fatpipeinc.com/support/cve-list.php | x_refsource_CONFIRM |
| https://www.zeroscience.mk/codes/fatpipe_configdl.txt | x_refsource_MISC |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| FatPipe | WARP |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
|
| FatPipe | IPVPN |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
|
| FatPipe | MPVPN |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
Date Public
2021-09-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:15.878Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5683.php"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zeroscience.mk/codes/fatpipe_configdl.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WARP",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "IPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "MPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote, unauthenticated attacker to download a configuration archive. The attacker needs to know or correctly guess the hostname of the target system since the hostname is used as part of the configuration archive file name. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA003."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-15T16:14:48.000Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5683.php"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zeroscience.mk/codes/fatpipe_configdl.txt"
}
],
"source": {
"advisory": "FPSA003",
"discovery": "EXTERNAL"
},
"title": "FatPipe software allows unauthenticated configuration download",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2021-09-27T00:00:00.000Z",
"ID": "CVE-2021-27857",
"STATE": "PUBLIC",
"TITLE": "FatPipe software allows unauthenticated configuration download"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WARP",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
},
{
"product_name": "IPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
},
{
"product_name": "MPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
}
]
},
"vendor_name": "FatPipe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote, unauthenticated attacker to download a configuration archive. The attacker needs to know or correctly guess the hostname of the target system since the hostname is used as part of the configuration archive file name. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA003."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862: Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5683.php",
"refsource": "MISC",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5683.php"
},
{
"name": "https://www.fatpipeinc.com/support/cve-list.php",
"refsource": "CONFIRM",
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"name": "https://www.zeroscience.mk/codes/fatpipe_configdl.txt",
"refsource": "MISC",
"url": "https://www.zeroscience.mk/codes/fatpipe_configdl.txt"
}
]
},
"source": {
"advisory": "FPSA003",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2021-27857",
"datePublished": "2021-12-15T16:14:48.650Z",
"dateReserved": "2021-03-01T00:00:00.000Z",
"dateUpdated": "2024-09-17T04:29:07.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27856 (GCVE-0-2021-27856)
Vulnerability from cvelistv5 – Published: 2021-12-15 16:14 – Updated: 2024-09-17 01:31
VLAI
Title
FatPipe software administrative account with no password
Summary
FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 includes an account named "cmuser" that has administrative privileges and no password. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA002.
Severity
9.8 (Critical)
CWE
- Default administrative account with no password
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.zeroscience.mk/en/vulnerabilities/ZSL… | x_refsource_MISC |
| https://www.fatpipeinc.com/support/cve-list.php | x_refsource_CONFIRM |
| https://www.zeroscience.mk/codes/fatpipe_backdoor.txt | x_refsource_MISC |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| FatPipe | WARP |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
|
| FatPipe | IPVPN |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
|
| FatPipe | MPVPN |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
Date Public
2021-09-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:15.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zeroscience.mk/codes/fatpipe_backdoor.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WARP",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "IPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "MPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 includes an account named \"cmuser\" that has administrative privileges and no password. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA002."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Default administrative account with no password",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-15T16:14:47.000Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zeroscience.mk/codes/fatpipe_backdoor.txt"
}
],
"source": {
"advisory": "FPSA002",
"discovery": "EXTERNAL"
},
"title": "FatPipe software administrative account with no password",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2021-09-27T00:00:00.000Z",
"ID": "CVE-2021-27856",
"STATE": "PUBLIC",
"TITLE": "FatPipe software administrative account with no password"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WARP",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
},
{
"product_name": "IPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
},
{
"product_name": "MPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
}
]
},
"vendor_name": "FatPipe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 includes an account named \"cmuser\" that has administrative privileges and no password. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA002."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Default administrative account with no password"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php",
"refsource": "MISC",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php"
},
{
"name": "https://www.fatpipeinc.com/support/cve-list.php",
"refsource": "CONFIRM",
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"name": "https://www.zeroscience.mk/codes/fatpipe_backdoor.txt",
"refsource": "MISC",
"url": "https://www.zeroscience.mk/codes/fatpipe_backdoor.txt"
}
]
},
"source": {
"advisory": "FPSA002",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2021-27856",
"datePublished": "2021-12-15T16:14:47.938Z",
"dateReserved": "2021-03-01T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:31:27.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27855 (GCVE-0-2021-27855)
Vulnerability from cvelistv5 – Published: 2021-12-15 16:14 – Updated: 2024-09-17 02:42
VLAI
KEVintel KEV
Title
FatPipe software allows privilege escalation
Summary
FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote, authenticated attacker with read-only privileges to grant themselves administrative privileges. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA001.
Severity
8.8 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.zeroscience.mk/en/vulnerabilities/ZSL… | x_refsource_MISC |
| https://www.fatpipeinc.com/support/cve-list.php | x_refsource_CONFIRM |
| https://www.zeroscience.mk/codes/fatpipe_privesc.txt | x_refsource_MISC |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| FatPipe | WARP |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
|
| FatPipe | IPVPN |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
|
| FatPipe | MPVPN |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
Date Public
2021-09-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:17.057Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zeroscience.mk/codes/fatpipe_privesc.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WARP",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "IPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "MPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote, authenticated attacker with read-only privileges to grant themselves administrative privileges. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA001."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-15T16:14:47.000Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zeroscience.mk/codes/fatpipe_privesc.txt"
}
],
"source": {
"advisory": "FPSA001",
"discovery": "EXTERNAL"
},
"title": "FatPipe software allows privilege escalation",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2021-09-27T00:00:00.000Z",
"ID": "CVE-2021-27855",
"STATE": "PUBLIC",
"TITLE": "FatPipe software allows privilege escalation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WARP",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
},
{
"product_name": "IPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
},
{
"product_name": "MPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
}
]
},
"vendor_name": "FatPipe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote, authenticated attacker with read-only privileges to grant themselves administrative privileges. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA001."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862: Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php",
"refsource": "MISC",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php"
},
{
"name": "https://www.fatpipeinc.com/support/cve-list.php",
"refsource": "CONFIRM",
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"name": "https://www.zeroscience.mk/codes/fatpipe_privesc.txt",
"refsource": "MISC",
"url": "https://www.zeroscience.mk/codes/fatpipe_privesc.txt"
}
]
},
"source": {
"advisory": "FPSA001",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2021-27855",
"datePublished": "2021-12-15T16:14:47.069Z",
"dateReserved": "2021-03-01T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:42:43.452Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27860 (GCVE-0-2021-27860)
Vulnerability from cvelistv5 – Published: 2021-12-08 16:15 – Updated: 2025-10-21 23:25Title
Arbitrary file upload vulnerability in FatPipe software
Summary
A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p92 and 10.2.2r44p1 allows a remote, unauthenticated attacker to upload a file to any location on the filesystem. The FatPipe advisory identifier for this vulnerability is FPSA006.
Severity
9.8 (Critical)
SSVC
Exploitation: active
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
3 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| FatPipe | WARP |
Affected:
10.1 , < 10.1.2r60p92
(custom)
Affected: 10.2 , < 10.2.2r44p1 (custom) |
|
| FatPipe | IPVPN |
Affected:
10.1 , < 10.1.2r60p92
(custom)
Affected: 10.2 , < 10.2.2r44p1 (custom) |
|
| FatPipe | MPVPN |
Affected:
10.1 , < 10.1.2r60p92
(custom)
Affected: 10.2 , < 10.2.2r44p1 (custom) |
Date Public
2021-11-16 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:15.927Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.ic3.gov/Media/News/2021/211117-2.pdf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-27860",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T19:32:03.032241Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-01-10",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27860"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:25:23.273Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27860"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-01-10T00:00:00.000Z",
"value": "CVE-2021-27860 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WARP",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p92",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r44p1",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "IPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p92",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r44p1",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "MPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p92",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r44p1",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-11-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p92 and 10.2.2r44p1 allows a remote, unauthenticated attacker to upload a file to any location on the filesystem. The FatPipe advisory identifier for this vulnerability is FPSA006."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2023-10-13T15:04:56.650Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"url": "https://www.ic3.gov/Media/News/2021/211117-2.pdf"
}
],
"source": {
"advisory": "FPSA006",
"discovery": "USER"
},
"title": "Arbitrary file upload vulnerability in FatPipe software",
"x_generator": {
"engine": "cveClient/1.0.15"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2021-11-16T00:00:00.000Z",
"ID": "CVE-2021-27860",
"STATE": "PUBLIC",
"TITLE": "Arbitrary file upload vulnerability in FatPipe software"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WARP",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p92"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r44p1"
}
]
}
},
{
"product_name": "IPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p92"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r44p1"
}
]
}
},
{
"product_name": "MPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p92"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r44p1"
}
]
}
}
]
},
"vendor_name": "FatPipe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p92 and 10.2.2r44p1 allows a remote, unauthenticated attacker to upload a file to any location on the filesystem. The FatPipe advisory identifier for this vulnerability is FPSA006."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"references": {
"reference_data": [
{
"name": "https://www.fatpipeinc.com/support/cve-list.php",
"refsource": "CONFIRM",
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"name": "https://www.ic3.gov/Media/News/2021/211117-2.pdf",
"refsource": "MISC",
"url": "https://www.ic3.gov/Media/News/2021/211117-2.pdf"
}
]
},
"source": {
"advisory": "FPSA006",
"discovery": "USER"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2021-27860",
"datePublished": "2021-12-08T16:15:48.319Z",
"dateReserved": "2021-03-01T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:25:23.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27859 (GCVE-0-2021-27859)
Vulnerability from nvd – Published: 2021-12-15 16:14 – Updated: 2024-09-16 21:07
VLAI
Title
Missing authorization vulnerability in FatPipe software
Summary
A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows an authenticated, remote attacker with read-only privileges to create an account with administrative privileges. Older versions of FatPipe software may also be vulnerable. This does not appear to be a CSRF vulnerability. The FatPipe advisory identifier for this vulnerability is FPSA005.
Severity
8.8 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.zeroscience.mk/en/vulnerabilities/ZSL… | x_refsource_MISC |
| https://www.fatpipeinc.com/support/cve-list.php | x_refsource_CONFIRM |
| https://www.zeroscience.mk/codes/fatpipe_csrf.txt | x_refsource_MISC |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| FatPipe | WARP |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
|
| FatPipe | IPVPN |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
|
| FatPipe | MPVPN |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
Date Public
2021-09-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:16.357Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5681.php"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zeroscience.mk/codes/fatpipe_csrf.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WARP",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "IPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "MPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows an authenticated, remote attacker with read-only privileges to create an account with administrative privileges. Older versions of FatPipe software may also be vulnerable. This does not appear to be a CSRF vulnerability. The FatPipe advisory identifier for this vulnerability is FPSA005."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-15T16:14:50.000Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5681.php"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zeroscience.mk/codes/fatpipe_csrf.txt"
}
],
"source": {
"advisory": "FPSA005",
"discovery": "EXTERNAL"
},
"title": "Missing authorization vulnerability in FatPipe software",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2021-09-27T00:00:00.000Z",
"ID": "CVE-2021-27859",
"STATE": "PUBLIC",
"TITLE": "Missing authorization vulnerability in FatPipe software"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WARP",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
},
{
"product_name": "IPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
},
{
"product_name": "MPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
}
]
},
"vendor_name": "FatPipe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows an authenticated, remote attacker with read-only privileges to create an account with administrative privileges. Older versions of FatPipe software may also be vulnerable. This does not appear to be a CSRF vulnerability. The FatPipe advisory identifier for this vulnerability is FPSA005."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862: Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5681.php",
"refsource": "MISC",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5681.php"
},
{
"name": "https://www.fatpipeinc.com/support/cve-list.php",
"refsource": "CONFIRM",
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"name": "https://www.zeroscience.mk/codes/fatpipe_csrf.txt",
"refsource": "MISC",
"url": "https://www.zeroscience.mk/codes/fatpipe_csrf.txt"
}
]
},
"source": {
"advisory": "FPSA005",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2021-27859",
"datePublished": "2021-12-15T16:14:50.125Z",
"dateReserved": "2021-03-01T00:00:00.000Z",
"dateUpdated": "2024-09-16T21:07:27.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27858 (GCVE-0-2021-27858)
Vulnerability from nvd – Published: 2021-12-15 16:14 – Updated: 2024-09-17 01:16
VLAI
Title
Missing authorization vulnerability in FatPipe software
Summary
A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote attacker to access at least the URL "/fpui/jsp/index.jsp" leading to unknown impact, presumably some violation of confidentiality. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA004.
Severity
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.zeroscience.mk/en/vulnerabilities/ZSL… | x_refsource_MISC |
| https://www.fatpipeinc.com/support/cve-list.php | x_refsource_CONFIRM |
| https://www.zeroscience.mk/codes/fatpipe_auth.txt | x_refsource_MISC |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| FatPipe | WARP |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
|
| FatPipe | IPVPN |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
|
| FatPipe | MPVPN |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
Date Public
2021-09-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:16.298Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5682.php"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zeroscience.mk/codes/fatpipe_auth.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WARP",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "IPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "MPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote attacker to access at least the URL \"/fpui/jsp/index.jsp\" leading to unknown impact, presumably some violation of confidentiality. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA004."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-15T16:14:49.000Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5682.php"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zeroscience.mk/codes/fatpipe_auth.txt"
}
],
"source": {
"advisory": "FPSA004",
"discovery": "EXTERNAL"
},
"title": "Missing authorization vulnerability in FatPipe software",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2021-09-27T00:00:00.000Z",
"ID": "CVE-2021-27858",
"STATE": "PUBLIC",
"TITLE": "Missing authorization vulnerability in FatPipe software"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WARP",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
},
{
"product_name": "IPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
},
{
"product_name": "MPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
}
]
},
"vendor_name": "FatPipe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote attacker to access at least the URL \"/fpui/jsp/index.jsp\" leading to unknown impact, presumably some violation of confidentiality. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA004."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862: Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5682.php",
"refsource": "MISC",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5682.php"
},
{
"name": "https://www.fatpipeinc.com/support/cve-list.php",
"refsource": "CONFIRM",
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"name": "https://www.zeroscience.mk/codes/fatpipe_auth.txt",
"refsource": "MISC",
"url": "https://www.zeroscience.mk/codes/fatpipe_auth.txt"
}
]
},
"source": {
"advisory": "FPSA004",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2021-27858",
"datePublished": "2021-12-15T16:14:49.376Z",
"dateReserved": "2021-03-01T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:16:55.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27857 (GCVE-0-2021-27857)
Vulnerability from nvd – Published: 2021-12-15 16:14 – Updated: 2024-09-17 04:29
VLAI
Title
FatPipe software allows unauthenticated configuration download
Summary
A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote, unauthenticated attacker to download a configuration archive. The attacker needs to know or correctly guess the hostname of the target system since the hostname is used as part of the configuration archive file name. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA003.
Severity
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.zeroscience.mk/en/vulnerabilities/ZSL… | x_refsource_MISC |
| https://www.fatpipeinc.com/support/cve-list.php | x_refsource_CONFIRM |
| https://www.zeroscience.mk/codes/fatpipe_configdl.txt | x_refsource_MISC |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| FatPipe | WARP |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
|
| FatPipe | IPVPN |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
|
| FatPipe | MPVPN |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
Date Public
2021-09-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:15.878Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5683.php"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zeroscience.mk/codes/fatpipe_configdl.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WARP",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "IPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "MPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote, unauthenticated attacker to download a configuration archive. The attacker needs to know or correctly guess the hostname of the target system since the hostname is used as part of the configuration archive file name. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA003."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-15T16:14:48.000Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5683.php"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zeroscience.mk/codes/fatpipe_configdl.txt"
}
],
"source": {
"advisory": "FPSA003",
"discovery": "EXTERNAL"
},
"title": "FatPipe software allows unauthenticated configuration download",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2021-09-27T00:00:00.000Z",
"ID": "CVE-2021-27857",
"STATE": "PUBLIC",
"TITLE": "FatPipe software allows unauthenticated configuration download"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WARP",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
},
{
"product_name": "IPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
},
{
"product_name": "MPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
}
]
},
"vendor_name": "FatPipe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote, unauthenticated attacker to download a configuration archive. The attacker needs to know or correctly guess the hostname of the target system since the hostname is used as part of the configuration archive file name. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA003."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862: Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5683.php",
"refsource": "MISC",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5683.php"
},
{
"name": "https://www.fatpipeinc.com/support/cve-list.php",
"refsource": "CONFIRM",
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"name": "https://www.zeroscience.mk/codes/fatpipe_configdl.txt",
"refsource": "MISC",
"url": "https://www.zeroscience.mk/codes/fatpipe_configdl.txt"
}
]
},
"source": {
"advisory": "FPSA003",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2021-27857",
"datePublished": "2021-12-15T16:14:48.650Z",
"dateReserved": "2021-03-01T00:00:00.000Z",
"dateUpdated": "2024-09-17T04:29:07.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27855 (GCVE-0-2021-27855)
Vulnerability from nvd – Published: 2021-12-15 16:14 – Updated: 2024-09-17 02:42
VLAI
KEVintel KEV
Title
FatPipe software allows privilege escalation
Summary
FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote, authenticated attacker with read-only privileges to grant themselves administrative privileges. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA001.
Severity
8.8 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.zeroscience.mk/en/vulnerabilities/ZSL… | x_refsource_MISC |
| https://www.fatpipeinc.com/support/cve-list.php | x_refsource_CONFIRM |
| https://www.zeroscience.mk/codes/fatpipe_privesc.txt | x_refsource_MISC |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| FatPipe | WARP |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
|
| FatPipe | IPVPN |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
|
| FatPipe | MPVPN |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
Date Public
2021-09-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:17.057Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zeroscience.mk/codes/fatpipe_privesc.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WARP",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "IPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "MPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote, authenticated attacker with read-only privileges to grant themselves administrative privileges. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA001."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-15T16:14:47.000Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zeroscience.mk/codes/fatpipe_privesc.txt"
}
],
"source": {
"advisory": "FPSA001",
"discovery": "EXTERNAL"
},
"title": "FatPipe software allows privilege escalation",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2021-09-27T00:00:00.000Z",
"ID": "CVE-2021-27855",
"STATE": "PUBLIC",
"TITLE": "FatPipe software allows privilege escalation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WARP",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
},
{
"product_name": "IPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
},
{
"product_name": "MPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
}
]
},
"vendor_name": "FatPipe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote, authenticated attacker with read-only privileges to grant themselves administrative privileges. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA001."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862: Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php",
"refsource": "MISC",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php"
},
{
"name": "https://www.fatpipeinc.com/support/cve-list.php",
"refsource": "CONFIRM",
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"name": "https://www.zeroscience.mk/codes/fatpipe_privesc.txt",
"refsource": "MISC",
"url": "https://www.zeroscience.mk/codes/fatpipe_privesc.txt"
}
]
},
"source": {
"advisory": "FPSA001",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2021-27855",
"datePublished": "2021-12-15T16:14:47.069Z",
"dateReserved": "2021-03-01T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:42:43.452Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27856 (GCVE-0-2021-27856)
Vulnerability from nvd – Published: 2021-12-15 16:14 – Updated: 2024-09-17 01:31
VLAI
Title
FatPipe software administrative account with no password
Summary
FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 includes an account named "cmuser" that has administrative privileges and no password. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA002.
Severity
9.8 (Critical)
CWE
- Default administrative account with no password
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.zeroscience.mk/en/vulnerabilities/ZSL… | x_refsource_MISC |
| https://www.fatpipeinc.com/support/cve-list.php | x_refsource_CONFIRM |
| https://www.zeroscience.mk/codes/fatpipe_backdoor.txt | x_refsource_MISC |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| FatPipe | WARP |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
|
| FatPipe | IPVPN |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
|
| FatPipe | MPVPN |
Affected:
10.1 , < 10.1.2r60p91
(custom)
Affected: 10.2 , < 10.2.2r42 (custom) |
Date Public
2021-09-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:15.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zeroscience.mk/codes/fatpipe_backdoor.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WARP",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "IPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "MPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p91",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r42",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 includes an account named \"cmuser\" that has administrative privileges and no password. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA002."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Default administrative account with no password",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-15T16:14:47.000Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zeroscience.mk/codes/fatpipe_backdoor.txt"
}
],
"source": {
"advisory": "FPSA002",
"discovery": "EXTERNAL"
},
"title": "FatPipe software administrative account with no password",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2021-09-27T00:00:00.000Z",
"ID": "CVE-2021-27856",
"STATE": "PUBLIC",
"TITLE": "FatPipe software administrative account with no password"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WARP",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
},
{
"product_name": "IPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
},
{
"product_name": "MPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p91"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r42"
}
]
}
}
]
},
"vendor_name": "FatPipe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 includes an account named \"cmuser\" that has administrative privileges and no password. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA002."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Default administrative account with no password"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php",
"refsource": "MISC",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php"
},
{
"name": "https://www.fatpipeinc.com/support/cve-list.php",
"refsource": "CONFIRM",
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"name": "https://www.zeroscience.mk/codes/fatpipe_backdoor.txt",
"refsource": "MISC",
"url": "https://www.zeroscience.mk/codes/fatpipe_backdoor.txt"
}
]
},
"source": {
"advisory": "FPSA002",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2021-27856",
"datePublished": "2021-12-15T16:14:47.938Z",
"dateReserved": "2021-03-01T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:31:27.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27860 (GCVE-0-2021-27860)
Vulnerability from nvd – Published: 2021-12-08 16:15 – Updated: 2025-10-21 23:25Title
Arbitrary file upload vulnerability in FatPipe software
Summary
A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p92 and 10.2.2r44p1 allows a remote, unauthenticated attacker to upload a file to any location on the filesystem. The FatPipe advisory identifier for this vulnerability is FPSA006.
Severity
9.8 (Critical)
SSVC
Exploitation: active
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
3 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| FatPipe | WARP |
Affected:
10.1 , < 10.1.2r60p92
(custom)
Affected: 10.2 , < 10.2.2r44p1 (custom) |
|
| FatPipe | IPVPN |
Affected:
10.1 , < 10.1.2r60p92
(custom)
Affected: 10.2 , < 10.2.2r44p1 (custom) |
|
| FatPipe | MPVPN |
Affected:
10.1 , < 10.1.2r60p92
(custom)
Affected: 10.2 , < 10.2.2r44p1 (custom) |
Date Public
2021-11-16 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:15.927Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.ic3.gov/Media/News/2021/211117-2.pdf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-27860",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T19:32:03.032241Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-01-10",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27860"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:25:23.273Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27860"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-01-10T00:00:00.000Z",
"value": "CVE-2021-27860 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WARP",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p92",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r44p1",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "IPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p92",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r44p1",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
},
{
"product": "MPVPN",
"vendor": "FatPipe",
"versions": [
{
"lessThan": "10.1.2r60p92",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.2r44p1",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-11-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p92 and 10.2.2r44p1 allows a remote, unauthenticated attacker to upload a file to any location on the filesystem. The FatPipe advisory identifier for this vulnerability is FPSA006."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2023-10-13T15:04:56.650Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"url": "https://www.ic3.gov/Media/News/2021/211117-2.pdf"
}
],
"source": {
"advisory": "FPSA006",
"discovery": "USER"
},
"title": "Arbitrary file upload vulnerability in FatPipe software",
"x_generator": {
"engine": "cveClient/1.0.15"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2021-11-16T00:00:00.000Z",
"ID": "CVE-2021-27860",
"STATE": "PUBLIC",
"TITLE": "Arbitrary file upload vulnerability in FatPipe software"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WARP",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p92"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r44p1"
}
]
}
},
{
"product_name": "IPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p92"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r44p1"
}
]
}
},
{
"product_name": "MPVPN",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.2r60p92"
},
{
"version_affected": "\u003c",
"version_name": "10.2",
"version_value": "10.2.2r44p1"
}
]
}
}
]
},
"vendor_name": "FatPipe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p92 and 10.2.2r44p1 allows a remote, unauthenticated attacker to upload a file to any location on the filesystem. The FatPipe advisory identifier for this vulnerability is FPSA006."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"references": {
"reference_data": [
{
"name": "https://www.fatpipeinc.com/support/cve-list.php",
"refsource": "CONFIRM",
"url": "https://www.fatpipeinc.com/support/cve-list.php"
},
{
"name": "https://www.ic3.gov/Media/News/2021/211117-2.pdf",
"refsource": "MISC",
"url": "https://www.ic3.gov/Media/News/2021/211117-2.pdf"
}
]
},
"source": {
"advisory": "FPSA006",
"discovery": "USER"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2021-27860",
"datePublished": "2021-12-08T16:15:48.319Z",
"dateReserved": "2021-03-01T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:25:23.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}