9.8

CVE-2021-36767

In Digi RealPort through 4.10.490, authentication relies on a challenge-response mechanism that gives access to the server password, making the protection ineffective. An attacker may send an unauthenticated request to the server. The server will reply with a weakly-hashed version of the server's access password. The attacker may then crack this hash offline in order to successfully login to the server.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DigiRealport SwPlatformlinux Version <= 1.9-40
DigiRealport SwPlatformwindows Version <= 4.10.490
DigiCm Firmware
   DigiCm Version-
Digi6350-sr Firmware
   Digi6350-sr Version-
DigiOne Ia Firmware
   DigiOne Ia Version-
DigiWr31 Firmware
   DigiWr31 Version-
DigiWr44 R Firmware
   DigiWr44 R Version-
DigiConnect Es Firmware
   DigiConnect Es Version-
DigiWr21 Firmware
   DigiWr21 Version-
DigiOne Iap Firmware
   DigiOne Iap Version-
DigiOne Iap Haz Firmware
   DigiOne Iap Haz Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.24% 0.475
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-916 Use of Password Hash With Insufficient Computational Effort

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.