CVE-2021-27768 - OpenCVE

Using the ability to perform a Man-in-the-Middle (MITM) attack, which indicates a lack of hostname verification, sensitive account information was able to be intercepted. In this specific scenario, the application's network traffic was intercepted using a proxy server set up in 'transparent' mode while a certificate with an invalid hostname was active. The Android application was found to have hostname verification issues during the server setup and login flows; however, the application did not process requests post-login.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hcltech	Verse

Configuration 1 [-]

cpe:2.3:a:hcltech:verse:*:*:*:*:*:android:*:*

No data.

References

Link	Providers
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097753

History

No history.

MITRE

Status: PUBLISHED

Assigner: HCL

Published: 2022-05-12T21:25:22.517252Z

Updated: 2024-09-16T16:33:54.972Z

Reserved: 2021-02-26T00:00:00

Link: CVE-2021-27768

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-05-12T22:15:11.693

Modified: 2022-05-24T12:57:17.367

Link: CVE-2021-27768

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Verse for Android", "vendor": "HCL Software", "versions": [{"lessThan": "12.0.9", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2022-04-11T00:00:00", "descriptions": [{"lang": "en", "value": "Using the ability to perform a Man-in-the-Middle (MITM) attack, which indicates a lack of hostname verification, sensitive account information was able to be intercepted. In this specific scenario, the application's network traffic was intercepted using a proxy server set up in 'transparent' mode while a certificate with an invalid hostname was active. The Android application was found to have hostname verification issues during the server setup and login flows; however, the application did not process requests post-login."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-300", "description": "CWE-300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-12T21:25:22", "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "shortName": "HCL"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097753"}], "source": {"discovery": "UNKNOWN"}, "title": "An SSL certificate host verification vulnerability affects HCL Verse for Android", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@hcl.com", "DATE_PUBLIC": "2022-04-11T00:00:00.000Z", "ID": "CVE-2021-27768", "STATE": "PUBLIC", "TITLE": "An SSL certificate host verification vulnerability affects HCL Verse for Android"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Verse for Android", "version": {"version_data": [{"version_affected": "<", "version_value": "12.0.9"}]}}]}, "vendor_name": "HCL Software"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Using the ability to perform a Man-in-the-Middle (MITM) attack, which indicates a lack of hostname verification, sensitive account information was able to be intercepted. In this specific scenario, the application's network traffic was intercepted using a proxy server set up in 'transparent' mode while a certificate with an invalid hostname was active. The Android application was found to have hostname verification issues during the server setup and login flows; however, the application did not process requests post-login."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')"}]}]}, "references": {"reference_data": [{"name": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097753", "refsource": "MISC", "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097753"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T21:26:10.887Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097753"}]}]}, "cveMetadata": {"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "assignerShortName": "HCL", "cveId": "CVE-2021-27768", "datePublished": "2022-05-12T21:25:22.517252Z", "dateReserved": "2021-02-26T00:00:00", "dateUpdated": "2024-09-16T16:33:54.972Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hcltech:verse:*:*:*:*:*:android:*:*", "matchCriteriaId": "C1F5841E-5F38-4DAC-B47A-D813B2734366", "versionEndExcluding": "12.0.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Using the ability to perform a Man-in-the-Middle (MITM) attack, which indicates a lack of hostname verification, sensitive account information was able to be intercepted. In this specific scenario, the application's network traffic was intercepted using a proxy server set up in 'transparent' mode while a certificate with an invalid hostname was active. The Android application was found to have hostname verification issues during the server setup and login flows; however, the application did not process requests post-login."}, {"lang": "es", "value": "Usando la capacidad de llevar a cabo un ataque de tipo Man-in-the-Middle (MITM), que indica una falta de verificaci\u00f3n del nombre de host, pudo interceptarse informaci\u00f3n confidencial de la cuenta. En este caso concreto, fu\u00e9 interceptado el tr\u00e1fico de red de la aplicaci\u00f3n usando un servidor proxy configurado en modo \"transparent\" mientras estaba activo un certificado con un nombre de host no v\u00e1lido. Se ha detectado que la aplicaci\u00f3n de Android ten\u00eda problemas de verificaci\u00f3n del nombre de host durante la configuraci\u00f3n del servidor y los flujos de inicio de sesi\u00f3n; sin embargo, la aplicaci\u00f3n no procesaba las peticiones despu\u00e9s del inicio de sesi\u00f3n"}], "id": "CVE-2021-27768", "lastModified": "2022-05-24T12:57:17.367", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 4.2, "source": "psirt@hcl.com", "type": "Secondary"}]}, "published": "2022-05-12T22:15:11.693", "references": [{"source": "psirt@hcl.com", "tags": ["Vendor Advisory"], "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097753"}], "sourceIdentifier": "psirt@hcl.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-300"}], "source": "psirt@hcl.com", "type": "Secondary"}]}