CVE-2024-51558

This vulnerability exists in the Wave 2.0 due to missing restrictions for excessive failed authentication attempts on its API based login. A remote attacker could exploit this vulnerability by conducting a brute force attack against legitimate user OTP, MPIN or password, which could lead to gain unauthorized access and compromise other user accounts.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0332	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:63moons:aero::::::::
	cpe:2.3:a:63moons:wave_2.0::::::::

History

08 Nov 2024, 15:19

Type	Values Removed	Values Added
First Time		63moons wave 2.0 63moons aero 63moons
CPE		cpe:2.3:a:63moons:aero:::::::: cpe:2.3:a:63moons:wave_2.0::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
References	~~() https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0332 -~~	() https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0332 - Third Party Advisory
Summary		(es) Esta vulnerabilidad existe en Wave 2.0 debido a la falta de restricciones para los intentos de autenticación fallidos excesivos en su inicio de sesión basado en API. Un atacante remoto podría aprovechar esta vulnerabilidad realizando un ataque de fuerza bruta contra el OTP, MPIN o contraseña de un usuario legítimo, lo que podría generar acceso no autorizado y comprometer otras cuentas de usuario.

04 Nov 2024, 13:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-04 13:17

Updated : 2024-11-08 15:19

NVD link : CVE-2024-51558

Mitre link : CVE-2024-51558

CVE.ORG link : CVE-2024-51558

JSON object : View

Products Affected

63moons

aero
wave_2.0

CWE

CWE-307

Improper Restriction of Excessive Authentication Attempts

{"id": "CVE-2024-51558", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "vdisclose@cert-in.org.in", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 9.3, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "HIGH", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-11-04T13:17:05.450", "references": [{"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0332", "tags": ["Third Party Advisory"], "source": "vdisclose@cert-in.org.in"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "vdisclose@cert-in.org.in", "description": [{"lang": "en", "value": "CWE-307"}]}], "descriptions": [{"lang": "en", "value": "This vulnerability exists in the Wave 2.0\u00a0due to missing restrictions for excessive failed authentication attempts on its API based login. A remote attacker could exploit this vulnerability by conducting a brute force attack against legitimate user OTP, MPIN or password, which could lead to gain unauthorized access and compromise other user accounts."}, {"lang": "es", "value": " Esta vulnerabilidad existe en Wave 2.0 debido a la falta de restricciones para los intentos de autenticaci\u00f3n fallidos excesivos en su inicio de sesi\u00f3n basado en API. Un atacante remoto podr\u00eda aprovechar esta vulnerabilidad realizando un ataque de fuerza bruta contra el OTP, MPIN o contrase\u00f1a de un usuario leg\u00edtimo, lo que podr\u00eda generar acceso no autorizado y comprometer otras cuentas de usuario."}], "lastModified": "2024-11-08T15:19:32.597", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:63moons:aero:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F04B8B0A-9AD2-4CB8-B164-4D024B9E8547", "versionEndExcluding": "120820241550"}, {"criteria": "cpe:2.3:a:63moons:wave_2.0:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6CB8ACF7-4C40-492A-AA7E-41FDA5A3B913", "versionEndExcluding": "1.1.7"}], "operator": "OR"}]}], "sourceIdentifier": "vdisclose@cert-in.org.in"}