Velneo vClient improper authentication

Posted date 23/11/2022
Importance
4 - High
Affected Resources

Velneo vClient, version 28.1.3.

Description

INCIBE has coordinated the publication of a vulnerability in Velneo vClient, which has been discovered by Jesús Ródenas Huerta, ‘Marmeus’.

CVE-2021-45036 has been assigned to this vulnerability. A CVSS v3.1 base score of 8,7  has been calculated; the CVSS vector string is AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N.

Solution

This vulnerability has been fixed by Velneo team in version 32, released on 11/08/2022.

Detail

Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.

CWE-290: Authentication Bypass by Spoofing.

If you have any information regarding this advisory, please contact INCIBE as indicated in the 'CVE assignment and publication'.

Encuesta valoración

References list
Corrective version
Release notes
Changelog
Version notes: VATPS
VATPS protocol operation
Conection with Velneo vServer
Etiquetas