CVE-2021-27772

Users are able to read group conversations without actively taking part in them. Next to one to one conversations, users are able to start group conversations with multiple users. It was found possible to obtain the contents of these group conversations without being part of it. This could lead to information leakage where confidential information discussed in private groups is read by other users without the users knowledge.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097430	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:hcltech:sametime:11.6:*:*:*:*:*:*:*

History

29 Jul 2022, 13:45

Type	Values Removed	Values Added
CWE	~~CWE-863~~	NVD-CWE-noinfo

24 May 2022, 15:49

Type	Values Removed	Values Added
CWE		CWE-863
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 4.0 v3 : 6.5
CPE		cpe:2.3:a:hcltech:sametime:11.6:::::::*
References	~~(MISC) https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097430 -~~	(MISC) https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097430 - Vendor Advisory

12 May 2022, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-05-12 22:15

Updated : 2024-02-04 22:29

NVD link : CVE-2021-27772

Mitre link : CVE-2021-27772

CVE.ORG link : CVE-2021-27772

JSON object : View

Products Affected

hcltech

sametime

CWE

NVD-CWE-noinfo CWE-285

Improper Authorization

{"id": "CVE-2021-27772", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "psirt@hcl.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 2.8}]}, "published": "2022-05-12T22:15:11.943", "references": [{"url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097430", "tags": ["Vendor Advisory"], "source": "psirt@hcl.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "psirt@hcl.com", "description": [{"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "Users are able to read group conversations without actively taking part in them. Next to one to one conversations, users are able to start group conversations with multiple users. It was found possible to obtain the contents of these group conversations without being part of it. This could lead to information leakage where confidential information discussed in private groups is read by other users without the users knowledge."}, {"lang": "es", "value": "Los usuarios pueden leer las conversaciones de grupo sin participar activamente en ellas. Adem\u00e1s de las conversaciones uno a uno, los usuarios pueden iniciar conversaciones de grupo con varios usuarios. Se ha detectado que es posible obtener el contenido de estas conversaciones de grupo sin formar parte de ellas. Esto podr\u00eda conllevar a un filtrado de informaci\u00f3n en la que la informaci\u00f3n confidencial que se discute en los grupos privados es le\u00edda por otros usuarios sin que \u00e9stos lo sepan"}], "lastModified": "2022-07-29T13:45:41.383", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hcltech:sametime:11.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0B6E07B1-4DD8-4D9C-8DC1-063FEAD8BA52"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@hcl.com"}