Details of VAR-202112-2072

ID

VAR-202112-2072

CVE

CVE-2021-45379

TITLE

Glewlwyd Authentication vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-017435

DESCRIPTION

Glewlwyd 2.0.0, fixed in 2.6.1 is affected by an incorrect access control vulnerability. One user can attempt to log in as another user without its password. Glewlwyd There is an authentication vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Glewlwyd is a server for single sign-on server, OAuth2, OpenidConnect, multi-factor authentication, HOTP/TOTP, FIDO2, TLS certificates, etc., which can be extended through plugins Glewlwyd has an access control vulnerability, which is related to the logical judgment of the affected version. An attacker can exploit this vulnerability to obtain account information

Trust: 2.25

sources: NVD: CVE-2021-45379 // JVNDB: JVNDB-2021-017435 // CNVD: CNVD-2022-08347 // VULMON: CVE-2021-45379

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-08347

AFFECTED PRODUCTS

vendor:	glewlwyd	model:	glewlwyd	scope:	lt	version:	2.6.1	Trust: 1.0
vendor:	glewlwyd	model:	glewlwyd	scope:	gte	version:	2.0.0	Trust: 1.0
vendor:	glewlwyd sso server	model:	glewlwyd sso server	scope:	eq	version:	2.6.1	Trust: 0.8
vendor:	glewlwyd sso server	model:	glewlwyd sso server	scope:	eq	version:	-	Trust: 0.8
vendor:	glewlwyd	model:	glewlwyd	scope:	gte	version:	2.0.0,<2.6.1	Trust: 0.6

sources: CNVD: CNVD-2022-08347 // JVNDB: JVNDB-2021-017435 // NVD: CVE-2021-45379

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-45379
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-45379
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2022-08347
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202112-2792
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2021-45379
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2022-08347
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-45379
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2021-45379
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-08347 // JVNDB: JVNDB-2021-017435 // CNNVD: CNNVD-202112-2792 // NVD: CVE-2021-45379

PROBLEMTYPE DATA

problemtype:	CWE-287	Trust: 1.0
problemtype:	Inappropriate authentication (CWE-287) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-017435 // NVD: CVE-2021-45379

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202112-2792

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202112-2792

PATCH

title:	Fix update session when auth fail GitHub	url:	https://github.com/babelouest/glewlwyd/commit/125281f1c0d4b6a8b49f7e55a757205a2ef01fbe	Trust: 0.8
title:	Patch for Glewlwyd Access Control Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/317626	Trust: 0.6
title:	Glewlwyd SSO server Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=177162	Trust: 0.6

sources: CNVD: CNVD-2022-08347 // JVNDB: JVNDB-2021-017435 // CNNVD: CNNVD-202112-2792

EXTERNAL IDS

db:	NVD	id:	CVE-2021-45379	Trust: 3.9
db:	JVNDB	id:	JVNDB-2021-017435	Trust: 0.8
db:	CNVD	id:	CNVD-2022-08347	Trust: 0.6
db:	CNNVD	id:	CNNVD-202112-2792	Trust: 0.6
db:	VULMON	id:	CVE-2021-45379	Trust: 0.1

sources: CNVD: CNVD-2022-08347 // VULMON: CVE-2021-45379 // JVNDB: JVNDB-2021-017435 // CNNVD: CNNVD-202112-2792 // NVD: CVE-2021-45379

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2021-45379	Trust: 2.0
url:	https://github.com/babelouest/glewlwyd/releases/tag/v2.6.1	Trust: 1.7
url:	https://github.com/babelouest/glewlwyd/commit/125281f1c0d4b6a8b49f7e55a757205a2ef01fbe	Trust: 1.7
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2022-08347 // VULMON: CVE-2021-45379 // JVNDB: JVNDB-2021-017435 // CNNVD: CNNVD-202112-2792 // NVD: CVE-2021-45379

SOURCES

db:	CNVD	id:	CNVD-2022-08347
db:	VULMON	id:	CVE-2021-45379
db:	JVNDB	id:	JVNDB-2021-017435
db:	CNNVD	id:	CNNVD-202112-2792
db:	NVD	id:	CVE-2021-45379

LAST UPDATE DATE

2024-11-23T22:44:07.485000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-08347	date:	2022-02-05T00:00:00
db:	VULMON	id:	CVE-2021-45379	date:	2021-12-30T00:00:00
db:	JVNDB	id:	JVNDB-2021-017435	date:	2023-01-18T05:30:00
db:	CNNVD	id:	CNNVD-202112-2792	date:	2022-07-14T00:00:00
db:	NVD	id:	CVE-2021-45379	date:	2024-11-21T06:32:08.307

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-08347	date:	2022-02-04T00:00:00
db:	VULMON	id:	CVE-2021-45379	date:	2021-12-30T00:00:00
db:	JVNDB	id:	JVNDB-2021-017435	date:	2023-01-18T00:00:00
db:	CNNVD	id:	CNNVD-202112-2792	date:	2021-12-30T00:00:00
db:	NVD	id:	CVE-2021-45379	date:	2021-12-30T18:15:07.463