CVE-2021-45036 - OpenCVE

Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Velneo	Vclient

Configuration 1 [-]

cpe:2.3:a:velneo:vclient:28.1.3:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps
https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver
https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps
https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena
https://velneo.es/mivelneo/listado-de-cambios-velneo-32/
https://www.incibe.es/en/incibe-cert/notices/aviso/velneo-vclient-improper-authentication-0
https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32

History

Mon, 16 Sep 2024 17:45:00 +0000

Type	Values Removed	Values Added
Description	Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.	Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2022-11-28T15:29:02.063832Z

Updated: 2024-09-16T17:33:07.164Z

Reserved: 2021-12-13T00:00:00

Link: CVE-2021-45036

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-11-28T16:15:09.090

Modified: 2024-09-16T18:15:49.133

Link: CVE-2021-45036

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-45036", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "assignerShortName": "INCIBE", "datePublished": "2022-11-28T15:29:02.063832Z", "dateUpdated": "2024-09-16T17:33:07.164Z", "dateReserved": "2021-12-13T00:00:00"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Velneo vClient", "vendor": "Velneo", "versions": [{"status": "affected", "version": "28.1.3"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jes\u00fas R\u00f3denas Huerta, @Marmeus"}], "datePublic": "2022-11-22T23:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.</span>"}], "value": "Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-290", "description": "CWE-290 Authentication Bypass by Spoofing", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-11-09T16:02:44.992Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/velneo-vclient-improper-authentication-0"}, {"url": "https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32"}, {"url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena"}, {"url": "https://velneo.es/mivelneo/listado-de-cambios-velneo-32/"}, {"url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps"}, {"url": "https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps"}, {"url": "https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">This vulnerability has been fixed by Velneo team in version 32, released on 11/08/2022.</span>"}], "value": "This vulnerability has been fixed by Velneo team in version 32, released on 11/08/2022."}], "source": {"advisory": "INCIBE-2022-1017", "defect": ["INCIBE-2021-0028"], "discovery": "EXTERNAL"}, "title": "Velneo vClient improper authentication", "x_generator": {"engine": "Vulnogram 0.0.9"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:32:13.641Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/velneo-vclient-improper-authentication-0", "tags": ["x_transferred"]}, {"url": "https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32", "tags": ["x_transferred"]}, {"url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena", "tags": ["x_transferred"]}, {"url": "https://velneo.es/mivelneo/listado-de-cambios-velneo-32/", "tags": ["x_transferred"]}, {"url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps", "tags": ["x_transferred"]}, {"url": "https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps", "tags": ["x_transferred"]}, {"url": "https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:velneo:vclient:28.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "2802675E-9543-403C-95FF-3CFF1FC01896", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server."}, {"lang": "es", "value": "Velneo vClient en su versi\u00f3n 28.1.3 podr\u00eda permitir que un atacante con conocimiento del nombre de usuario y la contrase\u00f1a hash de la v\u00edctima falsifique la identificaci\u00f3n de la v\u00edctima en el servidor."}], "id": "CVE-2021-45036", "lastModified": "2024-09-16T18:15:49.133", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.8, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2022-11-28T16:15:09.090", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Vendor Advisory"], "url": "https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps"}, {"source": "cve-coordination@incibe.es", "tags": ["Vendor Advisory"], "url": "https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver"}, {"source": "cve-coordination@incibe.es", "tags": ["Vendor Advisory"], "url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps"}, {"source": "cve-coordination@incibe.es", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena"}, {"source": "cve-coordination@incibe.es", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://velneo.es/mivelneo/listado-de-cambios-velneo-32/"}, {"source": "cve-coordination@incibe.es", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/velneo-vclient-improper-authentication-0"}, {"source": "cve-coordination@incibe.es", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-290"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}