CVE-2021-45036 - Vulnerability Details - OpenCVE

Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Velneo	Vclient

Configuration 1 [-]

cpe:2.3:a:velneo:vclient:28.1.3:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps
https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver
https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps
https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena
https://velneo.es/mivelneo/listado-de-cambios-velneo-32/
https://www.incibe.es/en/incibe-cert/notices/aviso/velneo-vclient-improper-authentication-0
https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32

History

Fri, 25 Apr 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 16 Sep 2024 17:45:00 +0000

Type	Values Removed	Values Added
Description	Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.	Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2022-11-28T15:29:02.063Z

Updated: 2025-04-25T14:59:40.409Z

Reserved: 2021-12-13T00:00:00.000Z

Link: CVE-2021-45036

Vulnrichment

Updated: 2024-08-04T04:32:13.641Z

NVD

Status : Modified

Published: 2022-11-28T16:15:09.090

Modified: 2024-11-21T06:31:50.397

Link: CVE-2021-45036

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-45036", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "assignerShortName": "INCIBE", "datePublished": "2022-11-28T15:29:02.063Z", "dateUpdated": "2025-04-25T14:59:40.409Z", "dateReserved": "2021-12-13T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Velneo vClient", "vendor": "Velneo", "versions": [{"status": "affected", "version": "28.1.3"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jes\u00fas R\u00f3denas Huerta, @Marmeus"}], "datePublic": "2022-11-22T23:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.</span>"}], "value": "Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-290", "description": "CWE-290 Authentication Bypass by Spoofing", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-11-09T16:02:44.992Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/velneo-vclient-improper-authentication-0"}, {"url": "https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32"}, {"url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena"}, {"url": "https://velneo.es/mivelneo/listado-de-cambios-velneo-32/"}, {"url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps"}, {"url": "https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps"}, {"url": "https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">This vulnerability has been fixed by Velneo team in version 32, released on 11/08/2022.</span>"}], "value": "This vulnerability has been fixed by Velneo team in version 32, released on 11/08/2022."}], "source": {"advisory": "INCIBE-2022-1017", "defect": ["INCIBE-2021-0028"], "discovery": "EXTERNAL"}, "title": "Velneo vClient improper authentication", "x_generator": {"engine": "Vulnogram 0.0.9"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:32:13.641Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/velneo-vclient-improper-authentication-0", "tags": ["x_transferred"]}, {"url": "https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32", "tags": ["x_transferred"]}, {"url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena", "tags": ["x_transferred"]}, {"url": "https://velneo.es/mivelneo/listado-de-cambios-velneo-32/", "tags": ["x_transferred"]}, {"url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps", "tags": ["x_transferred"]}, {"url": "https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps", "tags": ["x_transferred"]}, {"url": "https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-25T14:59:33.236304Z", "id": "CVE-2021-45036", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-25T14:59:40.409Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/velneo-vclient-improper-authentication-0", "tags": ["x_transferred"]}, {"url": "https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32", "tags": ["x_transferred"]}, {"url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena", "tags": ["x_transferred"]}, {"url": "https://velneo.es/mivelneo/listado-de-cambios-velneo-32/", "tags": ["x_transferred"]}, {"url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps", "tags": ["x_transferred"]}, {"url": "https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps", "tags": ["x_transferred"]}, {"url": "https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:32:13.641Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-45036", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-25T14:59:33.236304Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-25T14:59:37.111Z"}}], "cna": {"title": "Velneo vClient improper authentication", "source": {"defect": ["INCIBE-2021-0028"], "advisory": "INCIBE-2022-1017", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jes\u00fas R\u00f3denas Huerta, @Marmeus"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Velneo", "product": "Velneo vClient", "versions": [{"status": "affected", "version": "28.1.3"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "This vulnerability has been fixed by Velneo team in version 32, released on 11/08/2022.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">This vulnerability has been fixed by Velneo team in version 32, released on 11/08/2022.</span>", "base64": false}]}], "datePublic": "2022-11-22T23:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/velneo-vclient-improper-authentication-0"}, {"url": "https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32"}, {"url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena"}, {"url": "https://velneo.es/mivelneo/listado-de-cambios-velneo-32/"}, {"url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps"}, {"url": "https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps"}, {"url": "https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver"}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290 Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-11-09T16:02:44.992Z"}}}, "cveMetadata": {"cveId": "CVE-2021-45036", "state": "PUBLISHED", "dateUpdated": "2025-04-25T14:59:40.409Z", "dateReserved": "2021-12-13T00:00:00.000Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2022-11-28T15:29:02.063Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:velneo:vclient:28.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "2802675E-9543-403C-95FF-3CFF1FC01896", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server."}, {"lang": "es", "value": "Velneo vClient en su versi\u00f3n 28.1.3 podr\u00eda permitir que un atacante con conocimiento del nombre de usuario y la contrase\u00f1a hash de la v\u00edctima falsifique la identificaci\u00f3n de la v\u00edctima en el servidor."}], "id": "CVE-2021-45036", "lastModified": "2024-11-21T06:31:50.397", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.8, "source": "cve-coordination@incibe.es", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-28T16:15:09.090", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Vendor Advisory"], "url": "https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps"}, {"source": "cve-coordination@incibe.es", "tags": ["Vendor Advisory"], "url": "https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver"}, {"source": "cve-coordination@incibe.es", "tags": ["Vendor Advisory"], "url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps"}, {"source": "cve-coordination@incibe.es", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena"}, {"source": "cve-coordination@incibe.es", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://velneo.es/mivelneo/listado-de-cambios-velneo-32/"}, {"source": "cve-coordination@incibe.es", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/velneo-vclient-improper-authentication-0"}, {"source": "cve-coordination@incibe.es", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://velneo.es/mivelneo/listado-de-cambios-velneo-32/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/velneo-vclient-improper-authentication-0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}