CVE-2021-45036

Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.

CVSS v3.0 7.4 HIGH

7.4^/10

CVSS v3.0 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.incibe-cert.es/en/early-warning/security-advisories/velneo-vclient-improper-authentication-0	Third Party Advisory
https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena	Release Notes Vendor Advisory
https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32	Release Notes Vendor Advisory
https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps	Vendor Advisory
https://velneo.es/mivelneo/listado-de-cambios-velneo-32/	Release Notes Vendor Advisory
https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps	Vendor Advisory
https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver	Vendor Advisory

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:velneo:vclient:28.1.3:*:*:*:*:*:*:*

Information

Published : 2022-11-28 08:15

Updated : 2022-12-01 14:51

NVD link : CVE-2021-45036

Mitre link : CVE-2021-45036

JSON object : View

CWE

CWE-290

Authentication Bypass by Spoofing

Advertisement

Products Affected

velneo

vclient

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://www.incibe-cert.es/en/early-warning/security-advisories/velneo-vclient-improper-authentication-0", "name": "https://www.incibe-cert.es/en/early-warning/security-advisories/velneo-vclient-improper-authentication-0", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena", "name": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena", "tags": ["Release Notes", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32", "name": "https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32", "tags": ["Release Notes", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps", "name": "https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps", "tags": ["Vendor Advisory"], "refsource": "MISC"}, {"url": "https://velneo.es/mivelneo/listado-de-cambios-velneo-32/", "name": "https://velneo.es/mivelneo/listado-de-cambios-velneo-32/", "tags": ["Release Notes", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps", "name": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps", "tags": ["Vendor Advisory"], "refsource": "MISC"}, {"url": "https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver", "name": "https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver", "tags": ["Vendor Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-290"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-45036", "ASSIGNER": "cve-coordination@incibe.es"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.2}}, "publishedDate": "2022-11-28T16:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:velneo:vclient:28.1.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-12-01T22:51Z"}