TCMAN GIM missing authorization vulnerability

Posted date 14/12/2021
Importance
4 - High
Affected Resources

GIM version v8 and v11.

Description

INCIBE has coordinated the publication of a vulnerability in TCMAN GIM, with the internal code INCIBE-2021-0511, which has been discovered by Víctor Fidalgo Villar, researcher in INCIBE.

CVE-2021-40853 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.2 has been calculated, the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N.

Solution

This vulnerability has been solved by TCMAN in GIM v8.0.1 Release 31734.

Detail

TCMAN GIM does not perform an authorization check when trying to access determined resources. A remote attacker could exploit this vulnerability to access URL that require privileges without having them.

The exploitation of this vulnerability might allow a remote attacker to obtain sensible information.

CWE-862: missing authorization.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

Encuesta valoración