CVE-2021-20146 — CRITICAL (9.8)

Q: How severe is CVE-2021-20146?

CVE-2021-20146 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2021-20146?

Check the references section above for vendor advisories and patch information. Affected products include: Gryphonconnect Gryphon Tower Firmware, Gryphonconnect Gryphon Tower.

Vulnerability Description

An unprotected ssh private key exists on the Gryphon devices which could be used to achieve root access to a server affiliated with Gryphon's development and infrastructure. At the time of discovery, the ssh key could be used to login to the development server hosted in Amazon Web Services.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Gryphonconnect	Gryphon Tower Firmware	<= 04.0004.12
Gryphonconnect	Gryphon Tower	-

Related Weaknesses (CWE)

CWE-522

References

https://www.tenable.com/security/research/tra-2021-51Vendor Advisory
https://www.tenable.com/security/research/tra-2021-51Vendor Advisory

FAQ

What is CVE-2021-20146?

CVE-2021-20146 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An unprotected ssh private key exists on the Gryphon devices which could be used to achieve root access to a server affiliated with Gryphon's development and infrastructure. At the time of discovery, ...

How severe is CVE-2021-20146?

CVE-2021-20146 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2021-20146?

Check the references section above for vendor advisories and patch information. Affected products include: Gryphonconnect Gryphon Tower Firmware, Gryphonconnect Gryphon Tower.