An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Data is sent between client and server with encryption. However, the key is derived from the string "(c)2007 UCI Software GmbH B.Boll" (without quotes). The key is both static and hardcoded. With access to messages, this results in message decryption and encryption by an attacker. Thus, it enables passive and active man-in-the-middle attacks.
History

Thu, 31 Oct 2024 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-798
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Thu, 22 Aug 2024 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 22 Aug 2024 03:45:00 +0000

Type Values Removed Values Added
Description An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Data is sent between client and server with encryption. However, the key is derived from the string "(c)2007 UCI Software GmbH B.Boll" (without quotes). The key is both static and hardcoded. With access to messages, this results in message decryption and encryption by an attacker. Thus, it enables passive and active man-in-the-middle attacks.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-08-22T00:00:00

Updated: 2024-10-31T18:17:04.946Z

Reserved: 2024-08-22T00:00:00

Link: CVE-2024-45165

cve-icon Vulnrichment

Updated: 2024-08-22T13:04:59.970Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-08-22T04:15:22.310

Modified: 2024-10-31T19:35:08.327

Link: CVE-2024-45165

cve-icon Redhat

No data.