Velneo vClient Improper authentication

Posted date 16/09/2022
Importance
3 - Medium
Affected Resources

Velneo vClient 28.1.3.

Description

INCIBE has coordinated the publication of a vulnerability in Velneo vClient, which has been discovered by Jesús Ródenas Huerta 'Marmeus'.

CVE-2021-45035 has been assigned to this vulnerability. A CVSS v3.1 base score of 6,3  has been calculated; the CVSS vector string is AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N.

Solution

This vulnerability has been fixed by Velneo team in the 29.2 version, released on 29/06/2021.

Detail

Velneo vClient on its 28.1.3 version, does not correctly check the certificate of authenticity by default. This could allow an attacker that has access to the network to perform a MITM attack in order to obtain the user´s credentials.

CWE-287: Improper Authentication.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication.

Encuesta valoración

References list
Notas de la versión
Notas de la versión: verificación de certificados
Velneo
Publicación de incidencia de seguridad en CVE (CVE-2021-45035)
Etiquetas