Sécurité et conformité
DEVO-2021-0005
Résumé
A vulnerability was fixed were private key were returned unencrypted by the connections/partial endpoint.
Produits affectés
Devolutions Server 2021.1.17 and earlier.
Devolutions Server 2020.3.20 (LTS) and earlier.
Journal des modifications
Initial Publication - 2021-06-30 Added CVE - 2021-07-13
Sévérité
Low
Produit
Devolutions Server
Version corrigée
2021.1.18, 2020.3.21 (LTS)
Private key returned unencrypted in connections/partial endpoint (CVE-2021-36382)
Description
Private keys are returned by the connections/partial endpoint without being encrypted. This could lead to data exposure for installations that do not have TLS enabled.
Mesures correctives et solutions de contournement
Update to Devolutions Server 2021.1.18 or higher.
Update to Devolutions Server LTS 2020.3.21 or higher.
This issue is completely mitigated when Devolutions Server is configured to use TLS. The confidentiality of private keys can also be protected by setting a strong password on them.
Sévérité
Low - CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Produits affectés
Devolutions Server 2021.1.17 and earlier.
Devolutions Server LTS 2020.3.20 and earlier.
CVE(s)
CVE-2021-36382