CVE-2021-22530 (GCVE-0-2021-22530)
Vulnerability from cvelistv5 – Published: 2024-08-28 06:29 – Updated: 2024-08-28 13:31
VLAI?
Summary
A vulnerability identified in NetIQ Advance Authentication that doesn't enforce account lockout when brute force attack is performed on API based login. This issue may lead to user account compromise if successful or may impact server performance. This issue impacts all NetIQ Advance Authentication before 6.3.5.1
Severity ?
8.2 (High)
CWE
- CWE-667 - Improper Locking
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OpenText | NetIQ Advance Authentication |
Affected:
6.3.5.1 , < <
(server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-22530",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T13:19:20.381421Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T13:31:54.122Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "NetIQ Advance Authentication",
"vendor": "OpenText",
"versions": [
{
"lessThan": "\u003c",
"status": "affected",
"version": "6.3.5.1",
"versionType": "server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability identified in NetIQ Advance Authentication that doesn\u0027t enforce account lockout when brute force attack is performed on API based login. This issue may lead to user account compromise if successful or may impact server performance. This issue impacts all NetIQ Advance Authentication before 6.3.5.1\u003cbr\u003e"
}
],
"value": "A vulnerability identified in NetIQ Advance Authentication that doesn\u0027t enforce account lockout when brute force attack is performed on API based login. This issue may lead to user account compromise if successful or may impact server performance. This issue impacts all NetIQ Advance Authentication before 6.3.5.1"
}
],
"impacts": [
{
"capecId": "CAPEC-49",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-49 Password Brute Forcing"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T06:29:20.166Z",
"orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"shortName": "OpenText"
},
"references": [
{
"url": "https://www.netiq.com/documentation/advanced-authentication-63/advanced-authentication-releasenotes-6351/data/advanced-authentication-releasenotes-6351.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper account management vulnerability in NetIQ Advance Authentication",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"assignerShortName": "OpenText",
"cveId": "CVE-2021-22530",
"datePublished": "2024-08-28T06:29:20.166Z",
"dateReserved": "2021-01-05T18:14:04.352Z",
"dateUpdated": "2024-08-28T13:31:54.122Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microfocus:netiq_advanced_authentication:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"6.3\", \"matchCriteriaId\": \"7D8BAEC8-626A-4520-A89F-DB40CC774D87\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microfocus:netiq_advanced_authentication:6.3:-:*:*:*:*:*:*\", \"matchCriteriaId\": \"689649F7-75D8-4D13-9A71-50C2908EACA5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microfocus:netiq_advanced_authentication:6.3:sp1:*:*:*:*:*:*\", \"matchCriteriaId\": \"A0F82417-D88A-40C5-AD90-7AB826E29C2D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microfocus:netiq_advanced_authentication:6.3:sp2:*:*:*:*:*:*\", \"matchCriteriaId\": \"0DD98BB8-7A85-41D6-B1CB-7849D61F085A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microfocus:netiq_advanced_authentication:6.3:sp3:*:*:*:*:*:*\", \"matchCriteriaId\": \"729C4860-8CAC-4D4B-8C68-00B1E84E700A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microfocus:netiq_advanced_authentication:6.3:sp4:*:*:*:*:*:*\", \"matchCriteriaId\": \"FEFFEB38-B4CA-48ED-9149-073334346CA3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microfocus:netiq_advanced_authentication:6.3:sp4_patch1:*:*:*:*:*:*\", \"matchCriteriaId\": \"B14AC9B7-9339-44BA-BF1B-1876DAFBCA14\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microfocus:netiq_advanced_authentication:6.3:sp5:*:*:*:*:*:*\", \"matchCriteriaId\": \"4A5CE16C-376A-40C1-83E9-2424AAAB668D\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"A vulnerability identified in NetIQ Advance Authentication that doesn\u0027t enforce account lockout when brute force attack is performed on API based login. This issue may lead to user account compromise if successful or may impact server performance. This issue impacts all NetIQ Advance Authentication before 6.3.5.1\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad identificada en la autenticaci\\u00f3n avanzada de NetIQ que no aplica el bloqueo de cuenta cuando se realiza un ataque de fuerza bruta en el inicio de sesi\\u00f3n basado en API. Este problema puede comprometer la cuenta del usuario si tiene \\u00e9xito o puede afectar el rendimiento del servidor. Este problema afecta a toda la autenticaci\\u00f3n avanzada de NetIQ anterior a 6.3.5.1\"}]",
"id": "CVE-2021-22530",
"lastModified": "2024-09-13T17:15:29.670",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security@opentext.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L\", \"baseScore\": 8.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 5.3}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L\", \"baseScore\": 9.9, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.3}]}",
"published": "2024-08-28T07:15:06.750",
"references": "[{\"url\": \"https://www.netiq.com/documentation/advanced-authentication-63/advanced-authentication-releasenotes-6351/data/advanced-authentication-releasenotes-6351.html\", \"source\": \"security@opentext.com\", \"tags\": [\"Release Notes\"]}]",
"sourceIdentifier": "security@opentext.com",
"vulnStatus": "Analyzed",
"weaknesses": "[{\"source\": \"security@opentext.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-667\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-307\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-22530\",\"sourceIdentifier\":\"security@opentext.com\",\"published\":\"2024-08-28T07:15:06.750\",\"lastModified\":\"2024-09-13T17:15:29.670\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability identified in NetIQ Advance Authentication that doesn\u0027t enforce account lockout when brute force attack is performed on API based login. This issue may lead to user account compromise if successful or may impact server performance. This issue impacts all NetIQ Advance Authentication before 6.3.5.1\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad identificada en la autenticaci\u00f3n avanzada de NetIQ que no aplica el bloqueo de cuenta cuando se realiza un ataque de fuerza bruta en el inicio de sesi\u00f3n basado en API. Este problema puede comprometer la cuenta del usuario si tiene \u00e9xito o puede afectar el rendimiento del servidor. Este problema afecta a toda la autenticaci\u00f3n avanzada de NetIQ anterior a 6.3.5.1\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@opentext.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.3,\"impactScore\":5.3},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":5.3}]},\"weaknesses\":[{\"source\":\"security@opentext.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-667\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-307\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microfocus:netiq_advanced_authentication:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"6.3\",\"matchCriteriaId\":\"7D8BAEC8-626A-4520-A89F-DB40CC774D87\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microfocus:netiq_advanced_authentication:6.3:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"689649F7-75D8-4D13-9A71-50C2908EACA5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microfocus:netiq_advanced_authentication:6.3:sp1:*:*:*:*:*:*\",\"matchCriteriaId\":\"A0F82417-D88A-40C5-AD90-7AB826E29C2D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microfocus:netiq_advanced_authentication:6.3:sp2:*:*:*:*:*:*\",\"matchCriteriaId\":\"0DD98BB8-7A85-41D6-B1CB-7849D61F085A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microfocus:netiq_advanced_authentication:6.3:sp3:*:*:*:*:*:*\",\"matchCriteriaId\":\"729C4860-8CAC-4D4B-8C68-00B1E84E700A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microfocus:netiq_advanced_authentication:6.3:sp4:*:*:*:*:*:*\",\"matchCriteriaId\":\"FEFFEB38-B4CA-48ED-9149-073334346CA3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microfocus:netiq_advanced_authentication:6.3:sp4_patch1:*:*:*:*:*:*\",\"matchCriteriaId\":\"B14AC9B7-9339-44BA-BF1B-1876DAFBCA14\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microfocus:netiq_advanced_authentication:6.3:sp5:*:*:*:*:*:*\",\"matchCriteriaId\":\"4A5CE16C-376A-40C1-83E9-2424AAAB668D\"}]}]}],\"references\":[{\"url\":\"https://www.netiq.com/documentation/advanced-authentication-63/advanced-authentication-releasenotes-6351/data/advanced-authentication-releasenotes-6351.html\",\"source\":\"security@opentext.com\",\"tags\":[\"Release Notes\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-22530\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-28T13:19:20.381421Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-28T13:31:49.984Z\"}}], \"cna\": {\"title\": \"Improper account management vulnerability in NetIQ Advance Authentication\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-49\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-49 Password Brute Forcing\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"OpenText\", \"product\": \"NetIQ Advance Authentication\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.3.5.1\", \"lessThan\": \"\u003c\", \"versionType\": \"server\"}], \"platforms\": [\"Linux\"], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.netiq.com/documentation/advanced-authentication-63/advanced-authentication-releasenotes-6351/data/advanced-authentication-releasenotes-6351.html\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability identified in NetIQ Advance Authentication that doesn\u0027t enforce account lockout when brute force attack is performed on API based login. This issue may lead to user account compromise if successful or may impact server performance. This issue impacts all NetIQ Advance Authentication before 6.3.5.1\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A vulnerability identified in NetIQ Advance Authentication that doesn\u0027t enforce account lockout when brute force attack is performed on API based login. This issue may lead to user account compromise if successful or may impact server performance. This issue impacts all NetIQ Advance Authentication before 6.3.5.1\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-667\", \"description\": \"CWE-667 Improper Locking\"}]}], \"providerMetadata\": {\"orgId\": \"f81092c5-7f14-476d-80dc-24857f90be84\", \"shortName\": \"OpenText\", \"dateUpdated\": \"2024-08-28T06:29:20.166Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2021-22530\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-28T13:31:54.122Z\", \"dateReserved\": \"2021-01-05T18:14:04.352Z\", \"assignerOrgId\": \"f81092c5-7f14-476d-80dc-24857f90be84\", \"datePublished\": \"2024-08-28T06:29:20.166Z\", \"assignerShortName\": \"OpenText\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…