#VU99654 Missing Encryption of Sensitive Data in LedgerSMB - CVE-2021-3882

Cybersecurity Help s.r.o.

Published: 2024-11-04

Vulnerability identifier: #VU99654

Vulnerability risk: Medium

CVSSv4.0: 4.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-3882

CWE-ID: CWE-311

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
LedgerSMB
Web applications / CRM systems

Vendor: LedgerSMB

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. A remote attacker can trick a user into using an unencrypted connection (HTTP) to obtain the authentication data by capturing network traffic.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

LedgerSMB: 1.8.0 - 1.8.31

External links
https://huntr.dev/bounties/7061d97a-98a5-495a-8ba0-3a4c66091e9d
https://github.com/ledgersmb/ledgersmb/commit/c242f5a2abf4b99b0da205473cbba034f306bfe2
https://ledgersmb.org/cve-2021-3882-sensitive-non-secure-cookie

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Planning Analytics and IBM Planning Analytics Workspace

Missing encryption of sensitive data in LedgerSMB