GSD-2021-45036

Vulnerability from gsd - Updated: 2023-12-13 01:23
Details
Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.
Aliases
Aliases
CVE-2021-45036
To clipboard 

{
  "GSD": {
    "alias": "CVE-2021-45036",
    "id": "GSD-2021-45036"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-45036"
      ],
      "details": "\nVelneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims\u0027s username and hashed password to spoof the victim\u0027s id against the server.\n\n",
      "id": "GSD-2021-45036",
      "modified": "2023-12-13T01:23:19.532342Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve-coordination@incibe.es",
        "ID": "CVE-2021-45036",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Velneo vClient",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "28.1.3"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Velneo"
            }
          ]
        }
      },
      "credits": [
        {
          "lang": "en",
          "value": "Jes\u00fas R\u00f3denas Huerta, @Marmeus"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "\nVelneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims\u0027s username and hashed password to spoof the victim\u0027s id against the server.\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-290",
                "lang": "eng",
                "value": "CWE-290 Authentication Bypass by Spoofing"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.incibe.es/en/incibe-cert/notices/aviso/velneo-vclient-improper-authentication-0",
            "refsource": "MISC",
            "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/velneo-vclient-improper-authentication-0"
          },
          {
            "name": "https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32",
            "refsource": "MISC",
            "url": "https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32"
          },
          {
            "name": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena",
            "refsource": "MISC",
            "url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena"
          },
          {
            "name": "https://velneo.es/mivelneo/listado-de-cambios-velneo-32/",
            "refsource": "MISC",
            "url": "https://velneo.es/mivelneo/listado-de-cambios-velneo-32/"
          },
          {
            "name": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps",
            "refsource": "MISC",
            "url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps"
          },
          {
            "name": "https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps",
            "refsource": "MISC",
            "url": "https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps"
          },
          {
            "name": "https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver",
            "refsource": "MISC",
            "url": "https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver"
          }
        ]
      },
      "solution": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis vulnerability has been fixed by Velneo team in version 32, released on 11/08/2022.\u003c/span\u003e\n\n"
            }
          ],
          "value": "\nThis vulnerability has been fixed by Velneo team in version 32, released on 11/08/2022.\n\n"
        }
      ],
      "source": {
        "advisory": "INCIBE-2022-1017",
        "defect": [
          "INCIBE-2021-0028"
        ],
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:velneo:vclient:28.1.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-coordination@incibe.es",
          "ID": "CVE-2021-45036"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "\nVelneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims\u0027s username and hashed password to spoof the victim\u0027s id against the server.\n\n"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-287"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Vendor Advisory"
              ],
              "url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena"
            },
            {
              "name": "https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Vendor Advisory"
              ],
              "url": "https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32"
            },
            {
              "name": "https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps"
            },
            {
              "name": "https://velneo.es/mivelneo/listado-de-cambios-velneo-32/",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Vendor Advisory"
              ],
              "url": "https://velneo.es/mivelneo/listado-de-cambios-velneo-32/"
            },
            {
              "name": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps"
            },
            {
              "name": "https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver"
            },
            {
              "name": "https://www.incibe.es/en/incibe-cert/notices/aviso/velneo-vclient-improper-authentication-0",
              "refsource": "",
              "tags": [],
              "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/velneo-vclient-improper-authentication-0"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.2,
          "impactScore": 5.2
        }
      },
      "lastModifiedDate": "2023-11-09T16:15Z",
      "publishedDate": "2022-11-28T16:15Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.