CVE-2021-35236

Description

The Secure flag is not set in the SSL Cookie of Kiwi Syslog Server 9.7.2 and previous versions. The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP, there is a potential for the cookie can be sent in clear text.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected products

SolarWinds / Kiwi Syslog Server9.7.2 and Previous Versions – 9.8

References

MISChttps://documentation.solarwinds.com/en/success_center/kss/content/release_notes/kss_9-8_release_notes.htm
VENDOR_ADVISORYhttps://www.solarwinds.com/trust-center/security-advisories/cve-2021-35236