Anuko Time Tracker における不十分なランダム値の使用に関する脆弱性
| Title |
Anuko Time Tracker における不十分なランダム値の使用に関する脆弱性
|
| Summary |
Anuko Time Trackerには、不十分なランダム値の使用に関する脆弱性が存在します。
|
| Possible impacts |
情報を取得される、および情報を改ざんされる可能性があります。 |
| Solution |
ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。 |
| Publication Date |
Feb. 28, 2021, midnight |
| Registration Date |
Nov. 10, 2021, noon |
| Last Update |
Nov. 10, 2021, noon |
|
CVSS3.0 : 緊急
|
| Score |
9.1
|
| Vector |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
|
CVSS2.0 : 警告
|
| Score |
5
|
| Vector |
AV:N/AC:L/Au:N/C:N/I:P/A:N |
Affected System
| Anuko |
|
Time Tracker 1.19.24.5415 未満
|
CVE (情報セキュリティ 共通脆弱性識別子)
CWE (共通脆弱性タイプ一覧)
ベンダー情報
Change Log
| No |
Changed Details |
Date of change |
| 1 |
[2021年11月10日]
掲載 |
Nov. 10, 2021, noon |
NVD Vulnerability Information
CVE-2021-21352
| Summary |
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. In TimeTracker before version 1.19.24.5415 tokens used in password reset feature in Time Tracker are based on system time and, therefore, are predictable. This opens a window for brute force attacks to guess user tokens and, once successful, change user passwords, including that of a system administrator. This vulnerability is pathced in version 1.19.24.5415 (started to use more secure tokens) with an additional improvement in 1.19.24.5416 (limited an available window for brute force token guessing).
|
| Publication Date |
March 3, 2021, 10:15 a.m. |
| Registration Date |
March 3, 2021, 4:02 p.m. |
| Last Update |
Nov. 21, 2024, 2:48 p.m. |
Affected software configurations
| Configuration1 |
or higher |
or less |
more than |
less than |
| cpe:2.3:a:anuko:time_tracker:*:*:*:*:*:*:*:* |
|
|
|
1.19.24.5415 |
Related information, measures and tools
Common Vulnerabilities List