CVE-2021-40851 - OpenCVE

TCMAN GIM is vulnerable to a lack of authorization in all available webservice methods listed in /PC/WebService.asmx. The exploitation of this vulnerability might allow a remote attacker to obtain information.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Tcman	Gim

Configuration 1 [-]

OR	cpe:2.3:a:tcman:gim:8.0:::::::*
	cpe:2.3:a:tcman:gim:11.0:::::::*

References

Link	Resource
https://www.incibe-cert.es/en/early-warning/security-advisories/tcman-gim-sql-improper-authentication	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: INCIBE

Published: 2021-12-17T00:00:00

Updated: 2021-12-17T16:10:32

Reserved: 2021-09-10T00:00:00

Link: CVE-2021-40851

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-12-17T17:15:13.173

Modified: 2021-12-21T18:45:04.417

Link: CVE-2021-40851

JSON object: View

Redhat Information

No data.

CWE

CWE-287

{"containers": {"cna": {"affected": [{"product": "GIM", "vendor": "TCMAN", "versions": [{"status": "affected", "version": "8.0"}, {"status": "affected", "version": "11.0"}]}], "credits": [{"lang": "en", "value": "Francisco Palma, Luis V\u00e1zquez and Diego Le\u00f3n"}], "datePublic": "2021-12-17T00:00:00", "descriptions": [{"lang": "en", "value": "TCMAN GIM is vulnerable to a lack of authorization in all available webservice methods listed in /PC/WebService.asmx. The exploitation of this vulnerability might allow a remote attacker to obtain information."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-17T16:10:32", "orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.incibe-cert.es/en/early-warning/security-advisories/tcman-gim-sql-improper-authentication"}], "solutions": [{"lang": "en", "value": "This vulnerability has been solved by TCMAN in GIM v8.0.1 Release 31734"}], "source": {"advisory": "INCIBE-2021-0509", "discovery": "EXTERNAL"}, "title": "TCMAN GIM SQL injection vulnerability", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-coordination@incibe.es", "DATE_PUBLIC": "2021-12-17T09:00:00.000Z", "ID": "CVE-2021-40851", "STATE": "PUBLIC", "TITLE": "TCMAN GIM SQL injection vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "GIM", "version": {"version_data": [{"version_affected": "=", "version_name": "8.0", "version_value": "8.0"}, {"version_affected": "=", "version_name": "11.0", "version_value": "11.0"}]}}]}, "vendor_name": "TCMAN"}]}}, "credit": [{"lang": "eng", "value": "Francisco Palma, Luis V\u00e1zquez and Diego Le\u00f3n"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "TCMAN GIM is vulnerable to a lack of authorization in all available webservice methods listed in /PC/WebService.asmx. The exploitation of this vulnerability might allow a remote attacker to obtain information."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-287 Improper Authentication"}]}]}, "references": {"reference_data": [{"name": "https://www.incibe-cert.es/en/early-warning/security-advisories/tcman-gim-sql-improper-authentication", "refsource": "CONFIRM", "url": "https://www.incibe-cert.es/en/early-warning/security-advisories/tcman-gim-sql-improper-authentication"}]}, "solution": [{"lang": "en", "value": "This vulnerability has been solved by TCMAN in GIM v8.0.1 Release 31734"}], "source": {"advisory": "INCIBE-2021-0509", "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "assignerShortName": "INCIBE", "cveId": "CVE-2021-40851", "datePublished": "2021-12-17T00:00:00", "dateReserved": "2021-09-10T00:00:00", "dateUpdated": "2021-12-17T16:10:32", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tcman:gim:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "2BE48837-D1A0-4B9B-A4E8-9217D8002D5E", "vulnerable": true}, {"criteria": "cpe:2.3:a:tcman:gim:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "D6B3BFF6-FD8C-4E8F-8D81-96D988E03C9F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "TCMAN GIM is vulnerable to a lack of authorization in all available webservice methods listed in /PC/WebService.asmx. The exploitation of this vulnerability might allow a remote attacker to obtain information."}, {"lang": "es", "value": "TCMAN GIM es vulnerable a una falta de autorizaci\u00f3n en todos los m\u00e9todos de webservice disponibles listados en el archivo /PC/WebService.asmx. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un atacante remoto obtener informaci\u00f3n"}], "id": "CVE-2021-40851", "lastModified": "2021-12-21T18:45:04.417", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2021-12-17T17:15:13.173", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe-cert.es/en/early-warning/security-advisories/tcman-gim-sql-improper-authentication"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}