cvedb.io
CVE-2021-3882
MEDIUM · CVSS 6.8
EPSS exploitation probability: 0%
Published 2021-10-14T09:15:08.427 · Last modified 2026-06-17T04:05:56.423

Summary

LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. By tricking a user to use an unencrypted connection (HTTP), an attacker may be able to obtain the authentication data by capturing network traffic. LedgerSMB 1.8 and newer switched from Basic authentication to using cookie authentication with encrypted cookies. Although an attacker can't access the information inside the cookie, nor the password of the user, possession of the cookie is enough to access the application as the user from which the cookie has been obtained. In order for the attacker to obtain the cookie, first of all the server must be configured to respond to unencrypted requests, the attacker must be suitably positio

Affected products

ledgersmb — ledgersmb

Does this affect you?

Add your gear to cvedb and we'll alert you only when ledgersmb ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.