CVE-2021-36750

Опубликовано: 22 дек. 2021

Источник: nvd

CVSS3: 8.1

CVSS2: 5.5

EPSS Средний

Описание

ENC DataVault before 7.2 and VaultAPI v67 mishandle key derivation, making it easier for attackers to determine the passwords of all DataVault users (across USB drives sold under multiple brand names).

Ссылки

https://encsecurity.zendesk.com/hc/en-us/articles/4413283717265-Update-for-ENC-Software
Vendor Advisory
https://pretalx.c3voc.de/rc3-2021-r3s/talk/QMYGR3/
Third Party Advisory
https://www.encsecurity.com/solutions.php
Product
https://www.westerndigital.com/en-ap/support/product-security/wdc-21014-sandisk-secureaccess-software-update
Third Party Advisory
https://encsecurity.zendesk.com/hc/en-us/articles/4413283717265-Update-for-ENC-Software
Vendor Advisory
https://pretalx.c3voc.de/rc3-2021-r3s/talk/QMYGR3/
Third Party Advisory
https://www.encsecurity.com/solutions.php
Product
https://www.westerndigital.com/en-ap/support/product-security/wdc-21014-sandisk-secureaccess-software-update
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:zendesk:enc_datavault:*:*:*:*:*:*:*:*

Версия до 7.2 (исключая)

cpe:2.3:a:zendesk:enc_vaultapi:*:*:*:*:*:*:*:*

Версия до 67.0 (исключая)

Конфигурация 2

cpe:2.3:a:sandisk:secureaccess:3.02:*:*:*:*:*:*:*

EPSS

Процентиль: 95%

0.19701

Средний

8.1 High

CVSS3

5.5 Medium

CVSS2

Дефекты

CWE-307

Связанные уязвимости

GHSA-pj9c-cg8c-hvp4

github

около 4 лет назад

ENC DataVault 7.1.1W and VaultAPI v67, which is currently being used in various other applications, mishandles key derivation, making it easier for attackers to determine the passwords of all DataVault users (across USB drives sold under multiple brand names).