#VU99654 Missing Encryption of Sensitive Data in LedgerSMB


Vulnerability identifier: #VU99654

Vulnerability risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3882

CWE-ID: CWE-311

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
LedgerSMB
Web applications / CRM systems

Vendor: LedgerSMB

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. A remote attacker can trick a user into using an unencrypted connection (HTTP) to obtain the authentication data by capturing network traffic.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

LedgerSMB: 1.8.0 - 1.8.31


External links
http://huntr.dev/bounties/7061d97a-98a5-495a-8ba0-3a4c66091e9d
http://github.com/ledgersmb/ledgersmb/commit/c242f5a2abf4b99b0da205473cbba034f306bfe2
http://ledgersmb.org/cve-2021-3882-sensitive-non-secure-cookie


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability