CVE-2021-45036

Velneo vClient improper authentication

Description

Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.

Remediation

Solution:

This vulnerability has been fixed by Velneo team in version 32, released on 11/08/2022.

References

Link	Tags
https://www.incibe.es/en/incibe-cert/notices/aviso/velneo-vclient-improper-authentication-0
https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32	release notes vendor advisory
https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena	release notes vendor advisory
https://velneo.es/mivelneo/listado-de-cambios-velneo-32/	release notes vendor advisory
https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps	vendor advisory
https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps	vendor advisory
https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2021-45036?: CVE-2021-45036 has been scored as a high severity vulnerability.
How to fix CVE-2021-45036?: To fix CVE-2021-45036: This vulnerability has been fixed by Velneo team in version 32, released on 11/08/2022.
Is CVE-2021-45036 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2021-45036 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-45036?: CVE-2021-45036 affects Velneo Velneo vClient.

Description

Remediation

Categories

CWE-290 – Authentication Bypass by Spoofing

CWE-287 – Improper Authentication

References

Frequently Asked Questions