#VU99654 Missing Encryption of Sensitive Data in LedgerSMB - CVE-2021-3882
Published: November 4, 2024
Vulnerability identifier: #VU99654
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-3882
CWE-ID: CWE-311
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
LedgerSMB
LedgerSMB
Software vendor:
LedgerSMB
LedgerSMB
Description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. A remote attacker can trick a user into using an unencrypted connection (HTTP) to obtain the authentication data by capturing network traffic.
Remediation
Install updates from vendor's website.