CVE-2021-3882
CVE-2021-3882 is a medium-severity vulnerability in Ledgersmb with a CVSS 3.x base score of 6.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-311.
Key facts
- Severity: Medium (CVSS 3.x base score 6.8)
- CVSS v2: 4.0
- EPSS exploit prediction: 1% (57th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-311
- Affected product: Ledgersmb
- Published:
- Last modified:
Description
LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. By tricking a user to use an unencrypted connection (HTTP), an attacker may be able to obtain the authentication data by capturing network traffic. LedgerSMB 1.8 and newer switched from Basic authentication to using cookie authentication with encrypted cookies. Although an attacker can't access the information inside the cookie, nor the password of the user, possession of the cookie is enough to access the application as the user from which the cookie has been obtained. In order for the attacker to obtain the cookie, first of all the server must be configured to respond to unencrypted requests, the attacker must be suitably positioned to eavesdrop on the network traffic between the client and the server *and* the user must be tricked into using unencrypted HTTP traffic. Proper audit control and separation of duties limit Integrity impact of the attack vector. Users of LedgerSMB 1.8 are urged to upgrade to known-fixed versions. Users of LedgerSMB 1.7 or 1.9 are unaffected by this vulnerability and don't need to take action. As a workaround, users may configure their Apache or Nginx reverse proxy to add the Secure attribute at the network boundary instead of relying on LedgerSMB. For Apache, please refer to the 'Header always edit' configuration command in the mod_headers module. For Nginx, please refer to the 'proxy_cookie_flags' configuration command.
Frequently asked questions
- What is CVE-2021-3882?
- LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. By tricking a user to use an unencrypted connection (HTTP), an attacker may be able to obtain the authentication data by capturing network traffic. LedgerSMB 1.8 and newer switched from Basic authentication to using cookie authentication with encrypted cookies. Although an attacker can't access the information inside the cookie, nor the password of the user, possession of the cookie is enough to access the application as the user from which the cookie has been obtained. In order for the attacker to obtain the cookie, first of all the server must be configured to respond to unencrypted requests, the attacker must be suitably positioned to eavesdrop on the network traffic between the client and the server *and* the user must be tricked into using unencrypted HTTP traffic. Proper audit control and separation of duties limit Integrity impact of the attack vector. Users of LedgerSMB 1.8 are urged to upgrade to known-fixed versions. Users of LedgerSMB 1.7 or 1.9 are unaffected by this vulnerability and don't need to take action. As a workaround, users may configure their Apache or Nginx reverse proxy to add the Secure attribute at the network boundary instead of relying on LedgerSMB. For Apache, please refer to the 'Header always edit' configuration command in the mod_headers module. For Nginx, please refer to the 'proxy_cookie_flags' configuration command.
- How severe is CVE-2021-3882?
- CVE-2021-3882 has a CVSS 3.x base score of 6.8, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2021-3882 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (57th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-3882?
- CVE-2021-3882 affects Ledgersmb. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-3882?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2021-3882 published?
- CVE-2021-3882 was published on 2021-10-14 and last updated on 2026-06-17.
References
- https://github.com/ledgersmb/ledgersmb/commit/c242f5a2abf4b99b0da205473cbba034f306bfe2
- https://huntr.dev/bounties/7061d97a-98a5-495a-8ba0-3a4c66091e9d
- https://ledgersmb.org/cve-2021-3882-sensitive-non-secure-cookie
Affected products (1)
- cpe:2.3:a:ledgersmb:ledgersmb:*:*:*:*:*:*:*:*
More vulnerabilities in Ledgersmb
- CVE-2007-5372 — Critical (CVSS 10.0): Multiple SQL injection vulnerabilities in (a) LedgerSMB 1.0.0 through 1.2.7 and (b) DWS Systems SQL-Ledger 2.x allow…
- CVE-2007-3907 — Critical (CVSS 10.0): Unspecified vulnerability in login.pl in LedgerSMB 1.2.0 through 1.2.6 allows remote attackers to bypass authentication…
- CVE-2007-1329 — Critical (CVSS 10.0): Directory traversal vulnerability in SQL-Ledger, and LedgerSMB before 1.1.5, allows remote attackers to read and…
- CVE-2018-9246 — Critical (CVSS 9.8): The PGObject::Util::DBAdmin module before 0.120.0 for Perl, as used in LedgerSMB through 1.5.x, insufficiently…
- CVE-2007-1437 — Critical (CVSS 9.0): Unspecified vulnerability in LedgerSMB before 1.1.5 and SQL-Ledger before 2.6.25 allows remote attackers to overwrite…
- CVE-2021-3693 — High (CVSS 8.8): LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. By sending a specially crafted URL…
All CVEs affecting Ledgersmb →
Other CWE-311 (Missing Encryption of Sensitive Data) vulnerabilities
- CVE-2023-6339 — Critical (CVSS 10.0): Google Nest WiFi Pro root code-execution & user-data compromise
- CVE-2023-4420 — Critical (CVSS 9.8): A remote unprivileged attacker can intercept the communication via e.g. Man-In-The-Middle, due to the absence of…
- CVE-2023-0750 — Critical (CVSS 9.8): Yellobrik PEC-1864 implements authentication checks via javascript in the frontend interface. When the device can be…
- CVE-2020-15331 — Critical (CVSS 9.8): Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded OAUTH_SECRET_KEY in /opt/axess/etc/default/axess.
- CVE-2019-3431 — Critical (CVSS 9.8): All versions up to V4.01.01.02 of ZTE ZXCLOUD GoldenData VAP product have encryption problems vulnerability. Attackers…
- CVE-2019-12924 — Critical (CVSS 9.8): MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be…
Browse all CWE-311 (Missing Encryption of Sensitive Data) vulnerabilities →