CVE-2021-38461 - Vulnerability Details - OpenCVE

The affected product uses a hard-coded blowfish key for encryption/decryption processes. The key can be easily extracted from binaries.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.0008.

Key SSVC decision points have not yet been added.

Vendors	Products
Auvesy	Versiondog

Configuration 1 [-]

cpe:2.3:a:auvesy:versiondog:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-24913	The affected product uses a hard-coded blowfish key for encryption/decryption processes. The key can be easily extracted from binaries.

Fixes

Solution

AUVESY recommends upgrading Versiondog to Version 8.1 or later (login required).

Workaround

No workaround given by the vendor.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01

History

Mon, 16 Sep 2024 22:15:00 +0000

Type	Values Removed	Values Added
Title	AUVESY Versiondog	AUVESY Versiondog

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2021-10-22T11:23:18.809729Z

Updated: 2024-09-16T21:56:39.301Z

Reserved: 2021-08-10T00:00:00

Link: CVE-2021-38461

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-10-22T12:15:08.423

Modified: 2024-11-21T06:17:09.527

Link: CVE-2021-38461

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Versiondog", "vendor": "AUVESY", "versions": [{"lessThanOrEqual": "8.0", "status": "affected", "version": "All", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Amir Preminger of Claroty reported these vulnerabilities to CISA."}], "datePublic": "2021-08-19T00:00:00", "descriptions": [{"lang": "en", "value": "The affected product uses a hard-coded blowfish key for encryption/decryption processes. The key can be easily extracted from binaries."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-321", "description": "CWE-321 Use of Hard-coded Cryptographic Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-22T11:23:18", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01"}], "solutions": [{"lang": "en", "value": "AUVESY recommends upgrading Versiondog to Version 8.1 or later (login required)."}], "source": {"advisory": "https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01", "discovery": "UNKNOWN"}, "title": "AUVESY Versiondog", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2021-08-19T15:34:00.000Z", "ID": "CVE-2021-38461", "STATE": "PUBLIC", "TITLE": "AUVESY Versiondog"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Versiondog", "version": {"version_data": [{"version_affected": "<=", "version_name": "All", "version_value": "8.0"}]}}]}, "vendor_name": "AUVESY"}]}}, "credit": [{"lang": "eng", "value": "Amir Preminger of Claroty reported these vulnerabilities to CISA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The affected product uses a hard-coded blowfish key for encryption/decryption processes. The key can be easily extracted from binaries."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-321 Use of Hard-coded Cryptographic Key"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01", "refsource": "CONFIRM", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01"}]}, "solution": [{"lang": "en", "value": "AUVESY recommends upgrading Versiondog to Version 8.1 or later (login required)."}], "source": {"advisory": "https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:44:22.933Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-38461", "datePublished": "2021-10-22T11:23:18.809729Z", "dateReserved": "2021-08-10T00:00:00", "dateUpdated": "2024-09-16T21:56:39.301Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:auvesy:versiondog:*:*:*:*:*:*:*:*", "matchCriteriaId": "FE7528C6-8C4F-49D1-8591-BB54D2D6833C", "versionEndExcluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The affected product uses a hard-coded blowfish key for encryption/decryption processes. The key can be easily extracted from binaries."}, {"lang": "es", "value": "El producto afectado usa una clave blowfish embebida para los procesos de cifrado/descifrado. La clave puede ser f\u00e1cilmente extra\u00edda de los binarios"}], "id": "CVE-2021-38461", "lastModified": "2024-11-21T06:17:09.527", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-10-22T12:15:08.423", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Patch", "Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-321"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}]}