Missing encryption of sensitive data in LedgerSMB
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Missing Encryption of Sensitive Data
EUVDB-ID: #VU99654
Risk: Medium
CVSSv4.0: 4.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-3882
CWE-ID:
CWE-311 - Missing Encryption of Sensitive Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. A remote attacker can trick a user into using an unencrypted connection (HTTP) to obtain the authentication data by capturing network traffic.
MitigationInstall update from vendor's website.
Vulnerable software versionsLedgerSMB: 1.8.0 - 1.8.31
CPE2.3- cpe:2.3:a:ledgersmb:ledgersmb:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:ledgersmb:ledgersmb:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:ledgersmb:ledgersmb:1.8.2:*:*:*:*:*:*:*
https://huntr.dev/bounties/7061d97a-98a5-495a-8ba0-3a4c66091e9d
https://github.com/ledgersmb/ledgersmb/commit/c242f5a2abf4b99b0da205473cbba034f306bfe2
https://ledgersmb.org/cve-2021-3882-sensitive-non-secure-cookie
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
