CVE-2021-3391 - Vulnerability Details - OpenCVE

MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexistent user accounts by observing the number of failed login attempts needed to produce a Lockout error message

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mobileiron	Mobile\@work

Configuration 1 [-]

OR	cpe:2.3:a:mobileiron:mobile\@work::::::android::*
	cpe:2.3:a:mobileiron:mobile\@work::::::iphone_os::*

No data.

References

Link	Providers
https://github.com/optiv/rustyIron
https://www.mobileiron.com/en/blog/mobileiron-security-updates-available
https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-03-29T19:37:09

Updated: 2024-08-03T16:53:17.425Z

Reserved: 2021-02-02T00:00:00

Link: CVE-2021-3391

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-03-29T20:15:13.533

Modified: 2024-11-21T06:21:23.850

Link: CVE-2021-3391

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexistent user accounts by observing the number of failed login attempts needed to produce a Lockout error message"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-03-29T19:37:09", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mobileiron.com/en/blog/mobileiron-security-updates-available"}, {"tags": ["x_refsource_MISC"], "url": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/optiv/rustyIron"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-3391", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexistent user accounts by observing the number of failed login attempts needed to produce a Lockout error message"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.mobileiron.com/en/blog/mobileiron-security-updates-available", "refsource": "MISC", "url": "https://www.mobileiron.com/en/blog/mobileiron-security-updates-available"}, {"name": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration", "refsource": "MISC", "url": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration"}, {"name": "https://github.com/optiv/rustyIron", "refsource": "MISC", "url": "https://github.com/optiv/rustyIron"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T16:53:17.425Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mobileiron.com/en/blog/mobileiron-security-updates-available"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/optiv/rustyIron"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-3391", "datePublished": "2021-03-29T19:37:09", "dateReserved": "2021-02-02T00:00:00", "dateUpdated": "2024-08-03T16:53:17.425Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mobileiron:mobile\\@work:*:*:*:*:*:android:*:*", "matchCriteriaId": "4E437DFA-FB46-4857-9E4E-05C6E94D8D02", "versionEndIncluding": "11.0.0.0.115r", "vulnerable": true}, {"criteria": "cpe:2.3:a:mobileiron:mobile\\@work:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "CCE5A364-960D-49FB-B12F-9CB46013EB1D", "versionEndIncluding": "12.11.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexistent user accounts by observing the number of failed login attempts needed to produce a Lockout error message"}, {"lang": "es", "value": "MobileIron Mobile@Work hasta el 22 de marzo de 2021, permite a atacantes distinguir entre cuentas de usuario v\u00e1lidas, desactivadas e inexistentes al observar el n\u00famero de intentos fallidos de inicio de sesi\u00f3n necesarios para producir un mensaje de error de bloqueo"}], "id": "CVE-2021-3391", "lastModified": "2024-11-21T06:21:23.850", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-29T20:15:13.533", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/optiv/rustyIron"}, {"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "https://www.mobileiron.com/en/blog/mobileiron-security-updates-available"}, {"source": "cve@mitre.org", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/optiv/rustyIron"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Not Applicable"], "url": "https://www.mobileiron.com/en/blog/mobileiron-security-updates-available"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}