CVE-2021-36751

Опубликовано: 02 янв. 2022

Источник: nvd

CVSS3: 4.2

CVSS2: 6.4

EPSS Низкий

Описание

ENC DataVault 7.2.3 and before, and OEM versions, use an encryption algorithm that is vulnerable to data manipulation (without knowledge of the key). This is called ciphertext malleability. There is no data integrity mechanism to detect this manipulation.

Ссылки

https://encsecurity.zendesk.com/hc/en-us/articles/4413283717265-Update-for-ENC-Software
Vendor Advisory
https://encsecurity.zendesk.com/hc/en-us/articles/7860771829533
Vendor Advisory
https://pretalx.c3voc.de/rc3-2021-r3s/talk/QMYGR3/
Third Party Advisory
https://encsecurity.zendesk.com/hc/en-us/articles/4413283717265-Update-for-ENC-Software
Vendor Advisory
https://encsecurity.zendesk.com/hc/en-us/articles/7860771829533
Vendor Advisory
https://pretalx.c3voc.de/rc3-2021-r3s/talk/QMYGR3/
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:encsecurity:datavault:*:*:*:*:*:*:*:*

Версия до 7.2.3 (включая)

EPSS

Процентиль: 39%

0.00172

Низкий

4.2 Medium

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-345

Связанные уязвимости

GHSA-hqgq-3r9h-h993

CVSS3: 9.1

github

около 4 лет назад

ENC DataVault 7.1.1W uses an inappropriate encryption algorithm, such that an attacker (who does not know the secret key) can make ciphertext modifications that are reflected in modified plaintext. There is no data integrity mechanism. (This behavior occurs across USB drives sold under multiple brand names.)