CVE-2021-27859

A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows an authenticated, remote attacker with read-only privileges to create an account with administrative privileges. Older versions of FatPipe software may also be vulnerable. This does not appear to be a CSRF vulnerability. The FatPipe advisory identifier for this vulnerability is FPSA005.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
certccCNA
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 71%
VendorProductVersion
fatpipeincipvpn_firmware
5.2.0:r34
fatpipeincipvpn_firmware
6.1.2:r70p26
fatpipeincipvpn_firmware
6.1.2:r70p45-m
fatpipeincipvpn_firmware
6.1.2:r70p75-m
fatpipeincipvpn_firmware
7.1.2:r39
fatpipeincipvpn_firmware
9.1.2:r129
fatpipeincipvpn_firmware
9.1.2:r144
fatpipeincipvpn_firmware
9.1.2:r150
fatpipeincipvpn_firmware
9.1.2:r156
fatpipeincipvpn_firmware
9.1.2:r161p12
fatpipeincipvpn_firmware
9.1.2:r161p16
fatpipeincipvpn_firmware
9.1.2:r161p17
fatpipeincipvpn_firmware
9.1.2:r161p2
fatpipeincipvpn_firmware
9.1.2:r161p20
fatpipeincipvpn_firmware
9.1.2:r161p26
fatpipeincipvpn_firmware
9.1.2:r161p3
fatpipeincipvpn_firmware
9.1.2:r164
fatpipeincipvpn_firmware
9.1.2:r164p4
fatpipeincipvpn_firmware
9.1.2:r164p5
fatpipeincipvpn_firmware
9.1.2:r165
fatpipeincipvpn_firmware
9.1.2:r180p2
fatpipeincipvpn_firmware
9.1.2:r185
fatpipeincipvpn_firmware
10.1.2:r60p10
fatpipeincipvpn_firmware
10.1.2:r60p13
fatpipeincipvpn_firmware
10.1.2:r60p32
fatpipeincipvpn_firmware
10.1.2:r60p35
fatpipeincipvpn_firmware
10.1.2:r60p45
fatpipeincipvpn_firmware
10.1.2:r60p55
fatpipeincipvpn_firmware
10.1.2:r60p58
fatpipeincipvpn_firmware
10.1.2:r60p58s1
fatpipeincipvpn_firmware
10.1.2:r60p65
fatpipeincipvpn_firmware
10.1.2:r60p71
fatpipeincipvpn_firmware
10.1.2:r60p82
fatpipeincipvpn_firmware
10.2.2:r10
fatpipeincipvpn_firmware
10.2.2:r25
fatpipeincipvpn_firmware
10.2.2:r38
fatpipeincmpvpn_firmware
5.2.0:r34
fatpipeincmpvpn_firmware
6.1.2:r70p26
fatpipeincmpvpn_firmware
6.1.2:r70p45-m
fatpipeincmpvpn_firmware
6.1.2:r70p75-m
fatpipeincmpvpn_firmware
7.1.2:r39
fatpipeincmpvpn_firmware
9.1.2:r129
fatpipeincmpvpn_firmware
9.1.2:r144
fatpipeincmpvpn_firmware
9.1.2:r150
fatpipeincmpvpn_firmware
9.1.2:r156
fatpipeincmpvpn_firmware
9.1.2:r161p12
fatpipeincmpvpn_firmware
9.1.2:r161p16
fatpipeincmpvpn_firmware
9.1.2:r161p17
fatpipeincmpvpn_firmware
9.1.2:r161p2
fatpipeincmpvpn_firmware
9.1.2:r161p20
fatpipeincmpvpn_firmware
9.1.2:r161p26
fatpipeincmpvpn_firmware
9.1.2:r161p3
fatpipeincmpvpn_firmware
9.1.2:r164
fatpipeincmpvpn_firmware
9.1.2:r164p4
fatpipeincmpvpn_firmware
9.1.2:r164p5
fatpipeincmpvpn_firmware
9.1.2:r165
fatpipeincmpvpn_firmware
9.1.2:r180p2
fatpipeincmpvpn_firmware
9.1.2:r185
fatpipeincmpvpn_firmware
10.1.2:r60p10
fatpipeincmpvpn_firmware
10.1.2:r60p13
fatpipeincmpvpn_firmware
10.1.2:r60p32
fatpipeincmpvpn_firmware
10.1.2:r60p35
fatpipeincmpvpn_firmware
10.1.2:r60p45
fatpipeincmpvpn_firmware
10.1.2:r60p55
fatpipeincmpvpn_firmware
10.1.2:r60p58
fatpipeincmpvpn_firmware
10.1.2:r60p58s1
fatpipeincmpvpn_firmware
10.1.2:r60p65
fatpipeincmpvpn_firmware
10.1.2:r60p71
fatpipeincmpvpn_firmware
10.1.2:r60p82
fatpipeincmpvpn_firmware
10.2.2:r10
fatpipeincmpvpn_firmware
10.2.2:r25
fatpipeincmpvpn_firmware
10.2.2:r38
fatpipeincwarp_firmware
5.2.0:r34
fatpipeincwarp_firmware
6.1.2:r70p26
fatpipeincwarp_firmware
6.1.2:r70p45-m
fatpipeincwarp_firmware
6.1.2:r70p75-m
fatpipeincwarp_firmware
7.1.2:r39
fatpipeincwarp_firmware
9.1.2:r129
fatpipeincwarp_firmware
9.1.2:r144
fatpipeincwarp_firmware
9.1.2:r150
fatpipeincwarp_firmware
9.1.2:r156
fatpipeincwarp_firmware
9.1.2:r161p12
fatpipeincwarp_firmware
9.1.2:r161p16
fatpipeincwarp_firmware
9.1.2:r161p17
fatpipeincwarp_firmware
9.1.2:r161p2
fatpipeincwarp_firmware
9.1.2:r161p20
fatpipeincwarp_firmware
9.1.2:r161p26
fatpipeincwarp_firmware
9.1.2:r161p3
fatpipeincwarp_firmware
9.1.2:r164
fatpipeincwarp_firmware
9.1.2:r164p4
fatpipeincwarp_firmware
9.1.2:r164p5
fatpipeincwarp_firmware
9.1.2:r165
fatpipeincwarp_firmware
9.1.2:r180p2
fatpipeincwarp_firmware
9.1.2:r185
fatpipeincwarp_firmware
10.1.2:r60p10
fatpipeincwarp_firmware
10.1.2:r60p13
fatpipeincwarp_firmware
10.1.2:r60p32
fatpipeincwarp_firmware
10.1.2:r60p35
fatpipeincwarp_firmware
10.1.2:r60p45
fatpipeincwarp_firmware
10.1.2:r60p55
fatpipeincwarp_firmware
10.1.2:r60p58
fatpipeincwarp_firmware
10.1.2:r60p58s1
fatpipeincwarp_firmware
10.1.2:r60p65
fatpipeincwarp_firmware
10.1.2:r60p71
fatpipeincwarp_firmware
10.1.2:r60p82
fatpipeincwarp_firmware
10.2.2:r10
fatpipeincwarp_firmware
10.2.2:r25
fatpipeincwarp_firmware
10.2.2:r38
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.fatpipeinc.com/support/cve-list.php
https://www.zeroscience.mk/codes/fatpipe_csrf.txt
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5681.php
https://www.fatpipeinc.com/support/cve-list.php
https://www.zeroscience.mk/codes/fatpipe_csrf.txt
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5681.php