Skip to main content

Versiondog CVE-2021-38461

HIGH
Use of Hard-coded Cryptographic Key (CWE-321)
2021-10-22 ics-cert@hq.dhs.gov
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 22, 2021 - 12:15 nvd
HIGH 8.2

DescriptionNVD

The affected product uses a hard-coded blowfish key for encryption/decryption processes. The key can be easily extracted from binaries.

AnalysisAI

The affected product uses a hard-coded blowfish key for encryption/decryption processes. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-321. The affected product uses a hard-coded blowfish key for encryption/decryption processes. The key can be easily extracted from binaries. Affected products include: Auvesy Versiondog.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2021-38481 CRITICAL
9.8 Oct 22

The scheduler service running on a specific TCP port enables the user to start and stop jobs. Rated critical severity (C

CVE-2021-38477 CRITICAL
9.8 Oct 22

There are multiple API function codes that permit reading and writing data to or from files and directories, which could

CVE-2021-38459 CRITICAL
9.8 Oct 22

The data of a network capture of the initial handshake phase can be used to authenticate at a SYSDBA level. Rated critic

CVE-2021-38457 CRITICAL
9.8 Oct 22

The server permits communication without any authentication procedure, allowing the attacker to initiate a session with

CVE-2021-38449 CRITICAL
9.8 Oct 22

Some API functions permit by-design writing or copying data into a given buffer. Rated critical severity (CVSS 9.8), thi

CVE-2021-38471 CRITICAL
9.1 Oct 22

There are multiple API function codes that permit data writing to any file, which may allow an attacker to modify existi

CVE-2021-38453 CRITICAL
9.1 Oct 22

Some API functions allow interaction with the registry, which includes reading values as well as data modification. Rate

CVE-2021-38475 HIGH
8.8 Oct 22

The database connection to the server is performed by calling a specific API, which could allow an unprivileged user to

CVE-2021-38473 HIGH
8.8 Oct 22

The affected product’s code base doesn’t properly control arguments for specific functions, which could lead to a stack

CVE-2021-38467 HIGH
8.1 Oct 22

A specific function code receives a raw pointer supplied by the user and deallocates this pointer. Rated high severity (

CVE-2021-38463 HIGH
8.1 Oct 22

The affected product does not properly control the allocation of resources. Rated high severity (CVSS 8.1), this vulnera

CVE-2021-38479 HIGH
7.5 Oct 22

Many API function codes receive raw pointers remotely from the user and trust these pointers as valid in-bound memory re

Share

CVE-2021-38461 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy