Vulnerability Description
An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Data is sent between client and server with encryption. However, the key is derived from the string "(c)2007 UCI Software GmbH B.Boll" (without quotes). The key is both static and hardcoded. With access to messages, this results in message decryption and encryption by an attacker. Thus, it enables passive and active man-in-the-middle attacks.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Uci | Idol2 | <= 2.12 |
Related Weaknesses (CWE)
References
- http://download.uci.de/idol2/idol2Client_2_12.exeBroken Link
- https://uci.de/download/idol2-client.htmlProductRelease Notes
- https://uci.de/products/index.htmlProduct
- https://www.syss.de/en/responsible-disclosure-policyIssue Tracking
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-048.tThird Party Advisory
FAQ
What is CVE-2024-45165?
CVE-2024-45165 is a vulnerability with a CVSS score of 5.3 (MEDIUM). An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Data is sent between client and server with encryption. However, the key is derived from the string "(c)2007 UCI Software Gmb...
How severe is CVE-2024-45165?
CVE-2024-45165 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-45165?
Check the references section above for vendor advisories and patch information. Affected products include: Uci Idol2.