Security & Compliance

DEVO-2021-0005

Zusammenfassung

A vulnerability was fixed were private key were returned unencrypted by the connections/partial endpoint.

Betroffene Produkte

Devolutions Server 2021.1.17 and earlier.
Devolutions Server 2020.3.20 (LTS) and earlier.

Änderungsprotokoll

Initial Publication - 2021-06-30 Added CVE - 2021-07-13

Schweregrad

Low

Produkt

Devolutions Server

Behobene Version

2021.1.18, 2020.3.21 (LTS)

Private key returned unencrypted in connections/partial endpoint (CVE-2021-36382)

Beschreibung

Private keys are returned by the connections/partial endpoint without being encrypted. This could lead to data exposure for installations that do not have TLS enabled.

Behebungen und Workarounds

Update to Devolutions Server 2021.1.18 or higher.
Update to Devolutions Server LTS 2020.3.21 or higher.

This issue is completely mitigated when Devolutions Server is configured to use TLS. The confidentiality of private keys can also be protected by setting a strong password on them.

Schweregrad

Low - CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Betroffene Produkte

Devolutions Server 2021.1.17 and earlier.
Devolutions Server LTS 2020.3.20 and earlier.

CVE(s)

CVE-2021-36382

Wir helfen Unternehmen dabei, das IT-Chaos zu meistern, indem wir Lösungen für Passwortverwaltung, Remoteverbindungen und privilegierte Zugriffsverwaltung bereitstellen.

DEVOLUTIONS

Sicherheit & Datenschutz | infos@devolutions.net

Alle Rechte vorbehalten © 2025 Devolutions