CVE-2021-35236
3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Summary
The Secure flag is not set in the SSL Cookie of Kiwi Syslog Server 9.7.2 and previous versions. The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP, there is a potential for the cookie can be sent in clear text.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| SolarWinds | Kiwi Syslog Server | 9.7.2 and Previous Versions < 9.8 | affected |
Weaknesses
- CWE-614: CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
ADP Enrichment
CVE Program Container
Additional References
- https://documentation.solarwinds.com/en/success_center/kss/content/release_notes/kss_9-8_release_notes.htm
- https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35236
References
- https://documentation.solarwinds.com/en/success_center/kss/content/release_notes/kss_9-8_release_notes.htm
- https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35236
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.