CVE-2021-27215
Last modified
CVE-2021-27215 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. An issue was discovered in genua genugate before 9.0 Z p19, 9.1.x through 9.6.x before 9.6 p7, and 10.x before 10.1 p4. The Web Interfaces (Admin, Userweb, Sidechannel) can use different methods to perform the authentication of a user. EPSS estimates a 2.35% chance of exploitation in the next 30 days.
Description
An issue was discovered in genua genugate before 9.0 Z p19, 9.1.x through 9.6.x before 9.6 p7, and 10.x before 10.1 p4. The Web Interfaces (Admin, Userweb, Sidechannel) can use different methods to perform the authentication of a user. A specific authentication method during login does not check the provided data (when a certain manipulation occurs) and returns OK for any authentication request. This allows an attacker to login to the admin panel as a user of his choice, e.g., the root user (with highest privileges) or even a non-existing user.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Genua | Genuagate | <= 9.0 |
| Genua | Genuagate | >= 10.0, <= 10.1 |
| Genua | Genuagate | 9.0 |
| Genua | Genuagate | 9.6.0 |
| Genua | Genuagate | 10.1 |
References
- https://kunde.genua.de/en/overview/genugate.htmlPatch, Vendor Advisory
- https://sec-consult.com/vulnerability-lab/advisory/authentication-bypass-genua-genugate/Exploit, Third Party Advisory
- https://kunde.genua.de/en/overview/genugate.htmlPatch, Vendor Advisory
- https://sec-consult.com/vulnerability-lab/advisory/authentication-bypass-genua-genugate/Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-27215?
How severe is CVE-2021-27215?
How do I fix CVE-2021-27215?
Are you affected by CVE-2021-27215?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST