Vulnerability Details : CVE-2021-3391
MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexistent user accounts by observing the number of failed login attempts needed to produce a Lockout error message
Exploit prediction scoring system (EPSS) score for CVE-2021-3391
Probability of exploitation activity in the next 30 days: 0.08%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 34 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-3391
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST |
References for CVE-2021-3391
-
https://github.com/optiv/rustyIron
GitHub - optiv/rustyIronThird Party Advisory
-
https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration
MobileIron MDM Static Key Allows Account Enumeration | OptivTechnical Description;Third Party Advisory
-
https://www.mobileiron.com/en/blog/mobileiron-security-updates-available
MobileIron Security Updates Available | Mobileiron.comNot Applicable
Products affected by CVE-2021-3391
- cpe:2.3:a:mobileiron:mobile\@work:*:*:*:*:*:android:*:*
- cpe:2.3:a:mobileiron:mobile\@work:*:*:*:*:*:iphone_os:*:*