CVE-2021-40851: TCMAN GIM SQL improper authentication

Description:

INCIBE has coordinated the publication of a vulnerability in TCMAN GIM, with the internal code INCIBE-2021-0509, which has been discovered by Francisco Palma, Luis Vázquez and Diego León from Zerolynx, with special mention to Jesús Alcalde, David Jiménez, José Hermoso, Sergio Gutiérrez, Juan Antonio Calles, Elina Cárdenas, Helena Jalain and Jorge Escabias.

CVE-2021-40851 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated, the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Solution:

This vulnerability has been solved by TCMAN in GIM v8.0.1 Release 31734.

Detail:

TCMAN GIM is vulnerable to a lack of authorization in all available webservice methods listed in /PC/WebService.asmx.

The exploitation of this vulnerability might allow a remote attacker to obtain information.

CWE-287: improper authentication.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.