CVE-2021-3882Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in Ledgersmb

CWE-614Sensitive Cookie in HTTPS Session Without 'Secure' AttributeCWE-311Missing Encryption of Sensitive Data6 documents5 sources
Severity
6.8MEDIUMNVD
OSV9.6
EPSS
0.1%
top 69.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Ledgersmb LedgersmbLedgersmbDebian Ledgersmb
Timeline
PublishedOct 14
Latest updateJul 17

Description

LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. By tricking a user to use an unencrypted connection (HTTP), an attacker may be able to obtain the authentication data by capturing network traffic. LedgerSMB 1.8 and newer switched from Basic authentication to using cookie authentication with encrypted cookies. Although an attacker can't access the information inside the cookie, nor the

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 1.6 | Impact: 5.2

Affected Packages4 packages

NVDledgersmb/ledgersmb1.8.01.8.22
CVEListV5ledgersmb/ledgersmb_ledgersmb1.8.0unspecified+1
Ubuntuledgersmb/ledgersmb< 1.6.33+ds-1ubuntu0.1+4

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
ledgersmb vulnerabilities2025-07-17
GHSA
GHSA-q34c-v76q-8jx6: LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reve2022-05-24
OSV
CVE-2021-3882: LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reve2021-10-14

📋Vendor Advisories

2
Ubuntu
LedgerSMB vulnerabilities2025-07-17
Debian
CVE-2021-3882: ledgersmb - LedgerSMB does not set the 'Secure' attribute on the session authorization cooki...2021