CVE-2021-38459
Published on: 10/22/2021 12:00:00 AM UTC
Last Modified on: 10/27/2021 04:26:00 PM UTC
CVE-2021-38459 - advisory for https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01
Source: Mitre Source: NIST CVE.ORG Print: PDFCertain versions of Versiondog from Auvesy contain the following vulnerability:
The data of a network capture of the initial handshake phase can be used to authenticate at a SYSDBA level. If a specific .exe is not restarted often, it is possible to access the needed handshake packets between admin/client connections. Using the SYSDBA permission, an attacker can change user passwords or delete the database.
- CVE-2021-38459 has been assigned by [email protected] to track the vulnerability - currently rated as CRITICAL severity.
- Affected Vendor/Software: AUVESY - Versiondog version <= 8.0
CVSS3 Score: 9.8 - CRITICAL
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | NONE | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | HIGH | HIGH | HIGH |
CVSS2 Score: 7.5 - HIGH
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | LOW | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
PARTIAL | PARTIAL | PARTIAL |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
AUVESY Versiondog | CISA | us-cert.cisa.gov text/html | CONFIRM us-cert.cisa.gov/ics/advisories/icsa-21-292-01 |
Related QID Numbers
- 590588 AUVESY Versiondog Multiple Vulnerabilities (ICSA-21-292-01)
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Auvesy | Versiondog | All | All | All | All |
- cpe:2.3:a:auvesy:versiondog:*:*:*:*:*:*:*:*:
Discovery Credit
Amir Preminger of Claroty reported these vulnerabilities to CISA.
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
@CVEreport | CVE-2021-38459 : The data of a network capture of the initial handshake phase can be used to authenticate at a SYSD… twitter.com/i/web/status/1… | 2021-10-22 12:06:13 |
@threatmeter | CVE-2021-38459 The data of a network capture of the initial handshake phase can be used to authenticate at a SYSDBA… twitter.com/i/web/status/1… | 2021-10-23 07:09:52 |