CVE-2021-23207
21.01.2022, 19:15
An attacker with physical access to the host can extract the secrets from the registry and create valid JWT tokens for the Fresenius Kabi Vigilant MasterMed version 2.0.1.3 application and impersonate arbitrary users. An attacker could manipulate RabbitMQ queues and messages by impersonating users.Enginsight
| Vendor | Product | Version |
|---|---|---|
| fresenius-kabi | agilia_partner_maintenance_software | 𝑥 ≤ 3.3.0 |
| fresenius-kabi | vigilant_centerium | 1.0 |
| fresenius-kabi | vigilant_insight | 1.0 |
| fresenius-kabi | vigilant_mastermed | 1.0 |
| fresenius-kabi | link\+_agilia_firmware | 𝑥 < 3.0 |
| fresenius-kabi | link\+_agilia_firmware | 3.0 |
| fresenius-kabi | link\+_agilia_firmware | 3.0:d15 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-256 - Plaintext Storage of a PasswordStoring a password in plaintext may result in a system compromise.
- CWE-522 - Insufficiently Protected CredentialsThe product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.