Velneo vClient Improper authentication

Posted date 16/09/2022
Identificador

INCIBE-2022-0907

Importance
3 - Medium
Affected Resources

Velneo vClient 28.1.3.

Description

INCIBE has coordinated the publication of a vulnerability in Velneo vClient, which has been discovered by Jesús Ródenas Huerta 'Marmeus'.

CVE-2021-45035 has been assigned to this vulnerability. A CVSS v3.1 base score of 6,3  has been calculated; the CVSS vector string is AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N.

Solution

This vulnerability has been fixed by Velneo team in the 29.2 version, released on 29/06/2021.

Detail

Velneo vClient on its 28.1.3 version, does not correctly check the certificate of authenticity by default. This could allow an attacker that has access to the network to perform a MITM attack in order to obtain the user´s credentials.

CWE-287: Improper Authentication.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication.

Encuesta valoración