CVE-2021-43935
15.12.2021, 19:15
The impacted products, when configured to use SSO, are affected by an improper authentication vulnerability. This vulnerability allows the application to accept manual entry of any active directory (AD) account provisioned in the application without supplying a password, resulting in access to the application as the supplied AD account, with all associated privileges.Enginsight
| Vendor | Product | Version |
|---|---|---|
| baxter | welch_allyn_connex_cardio | 1.0.0 ≤ 𝑥 ≤ 1.1.1 |
| baxter | welch_allyn_diagnostic_cardiology_suite | 2.1.0 |
| baxter | welch_allyn_rscribe_resting_ecg_system | 5.01 ≤ 𝑥 ≤ 7.0.0 |
| baxter | welch_allyn_vision_express_holter_analysis_system | 6.1.0 ≤ 𝑥 ≤ 6.4.0 |
| baxter | welch_allyn_hscribe_holter_analysis_system_firmware | 5.01 ≤ 𝑥 ≤ 6.4.0 |
| baxter | welch_allyn_q-stress_cardiac_stress_testing_system_firmware | 6.0.0 ≤ 𝑥 ≤ 6.3.1 |
| baxter | welch_allyn_xscribe_cardiac_stress_testing_system_firmware | 5.01 ≤ 𝑥 ≤ 6.3.1 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-288 - Authentication Bypass Using an Alternate Path or ChannelA product requires authentication, but the product has an alternate path or channel that does not require authentication.
- CWE-287 - Improper AuthenticationWhen an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.