CVE-2021-3391
CVE-2021-3391 is a medium-severity vulnerability in Mobileiron Mobile@work with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- Severity: Medium (CVSS 3.x base score 5.3)
- CVSS v2: 5.0
- EPSS exploit prediction: 1% (63rd percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Mobileiron Mobile@work
- Published:
- Last modified:
Description
MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexistent user accounts by observing the number of failed login attempts needed to produce a Lockout error message
Frequently asked questions
- What is CVE-2021-3391?
- MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexistent user accounts by observing the number of failed login attempts needed to produce a Lockout error message
- How severe is CVE-2021-3391?
- CVE-2021-3391 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2021-3391 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (63rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-3391?
- CVE-2021-3391 primarily affects Mobileiron Mobile@work. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-3391?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2021-3391 published?
- CVE-2021-3391 was published on 2021-03-29 and last updated on 2026-06-17.
References
- https://github.com/optiv/rustyIron
- https://www.mobileiron.com/en/blog/mobileiron-security-updates-available
- https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration
Affected products (2)
- cpe:2.3:a:mobileiron:mobile\@work:*:*:*:*:*:android:*:*
- cpe:2.3:a:mobileiron:mobile\@work:*:*:*:*:*:iphone_os:*:*
More vulnerabilities in Mobileiron Mobile@work
- CVE-2020-35138 — Critical (CVSS 9.8): The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encrypt the…
- CVE-2020-35137 — High (CVSS 7.5): The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the…
- CVE-2014-5903 — Medium (CVSS 5.4): The Mobile@Work (aka com.mobileiron) application 6.0.0.1.12R for Android does not verify X.509 certificates from SSL…