CVE-2021-32541 - OpenCVE

The CTS Web transaction system related to authentication and session management is implemented incorrectly, which allows remote unauthenticated attackers can send a large number of valid usernames, and force those logged-in account to log out, causing the user to be unable to access the services

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sysjust	Cts Web

Configuration 1 [-]

cpe:2.3:a:sysjust:cts_web:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.chtsecurity.com/news/40e165e2-e539-49bc-bcf1-e3b27c29e344
https://www.twcert.org.tw/tw/cp-132-4757-893eb-1.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2021-05-28T08:10:27.063232Z

Updated: 2024-09-17T00:46:15.943Z

Reserved: 2021-05-10T00:00:00

Link: CVE-2021-32541

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-05-28T08:15:07.057

Modified: 2022-06-03T19:44:58.400

Link: CVE-2021-32541

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "CTS Web", "vendor": "SysJust", "versions": [{"lessThanOrEqual": "released 2021.3.25", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2021-05-28T00:00:00", "descriptions": [{"lang": "en", "value": "The CTS Web transaction system related to authentication and session management is implemented incorrectly, which allows remote unauthenticated attackers can send a large number of valid usernames, and force those logged-in account to log out, causing the user to be unable to access the services"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "None", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-07-21T10:25:27", "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.twcert.org.tw/tw/cp-132-4757-893eb-1.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.chtsecurity.com/news/40e165e2-e539-49bc-bcf1-e3b27c29e344"}], "solutions": [{"lang": "en", "value": "Update CTS to version released after 2021.3.25"}], "source": {"advisory": "TVN-202105003", "discovery": "EXTERNAL"}, "title": "SysJust CTS Web - Broken Access Control", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "TWCERT/CC", "ASSIGNER": "cve@cert.org.tw", "DATE_PUBLIC": "2021-05-28T07:56:00.000Z", "ID": "CVE-2021-32541", "STATE": "PUBLIC", "TITLE": "SysJust CTS Web - Broken Access Control"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "CTS Web", "version": {"version_data": [{"version_affected": "<=", "version_value": "released 2021.3.25"}]}}]}, "vendor_name": "SysJust"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The CTS Web transaction system related to authentication and session management is implemented incorrectly, which allows remote unauthenticated attackers can send a large number of valid usernames, and force those logged-in account to log out, causing the user to be unable to access the services"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "None"}]}]}, "references": {"reference_data": [{"name": "https://www.twcert.org.tw/tw/cp-132-4757-893eb-1.html", "refsource": "MISC", "url": "https://www.twcert.org.tw/tw/cp-132-4757-893eb-1.html"}, {"name": "https://www.chtsecurity.com/news/40e165e2-e539-49bc-bcf1-e3b27c29e344", "refsource": "CONFIRM", "url": "https://www.chtsecurity.com/news/40e165e2-e539-49bc-bcf1-e3b27c29e344"}]}, "solution": [{"lang": "en", "value": "Update CTS to version released after 2021.3.25"}], "source": {"advisory": "TVN-202105003", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:25:30.914Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.twcert.org.tw/tw/cp-132-4757-893eb-1.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.chtsecurity.com/news/40e165e2-e539-49bc-bcf1-e3b27c29e344"}]}]}, "cveMetadata": {"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "cveId": "CVE-2021-32541", "datePublished": "2021-05-28T08:10:27.063232Z", "dateReserved": "2021-05-10T00:00:00", "dateUpdated": "2024-09-17T00:46:15.943Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sysjust:cts_web:*:*:*:*:*:*:*:*", "matchCriteriaId": "C5DB6391-81C8-47A2-A1F2-1B127E1FFC7E", "versionEndExcluding": "2021.3.24", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The CTS Web transaction system related to authentication and session management is implemented incorrectly, which allows remote unauthenticated attackers can send a large number of valid usernames, and force those logged-in account to log out, causing the user to be unable to access the services"}, {"lang": "es", "value": "El sistema de transacciones CTS Web relacionado con la autenticaci\u00f3n y la gesti\u00f3n de sesiones es implementado incorrectamente, lo que permite a atacantes remotos no autenticados enviar una gran cantidad de nombres de usuario v\u00e1lidos y forzar a las personas que han iniciado sesi\u00f3n a cerrar la sesi\u00f3n, causando que el usuario no pueda acceder a los servicios"}], "id": "CVE-2021-32541", "lastModified": "2022-06-03T19:44:58.400", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "twcert@cert.org.tw", "type": "Primary"}]}, "published": "2021-05-28T08:15:07.057", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.chtsecurity.com/news/40e165e2-e539-49bc-bcf1-e3b27c29e344"}, {"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-4757-893eb-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}