CVE-2021-3882: 
Linux Ubuntu vulnerability analysis and mitigation

LedgerSMB, a web-based double-entry accounting system, was found to have a security vulnerability (CVE-2021-3882) where it fails to set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. This vulnerability was discovered and disclosed in October 2021, affecting LedgerSMB versions 1.8.0 through 1.8.21 (LedgerSMB Advisory).

The vulnerability stems from LedgerSMB 1.8's switch from Basic authentication to cookie authentication with encrypted cookies. While the cookie content itself is encrypted, the absence of the 'Secure' attribute in HTTPS sessions makes it vulnerable to capture. The issue received a CVSS v3.1 Base Score of 6.8 (Medium) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N from NVD, and a score of 5.9 (Medium) with vector CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N from huntr.dev. The vulnerability is classified under CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute) (NVD).

If exploited, an attacker could obtain the authentication cookie and access the application as the compromised user. Although the attacker cannot access the information inside the cookie or the user's password, possession of the cookie alone is sufficient for application access. The impact is somewhat limited by proper audit control and separation of duties (LedgerSMB Advisory).

Users of LedgerSMB 1.8 are advised to upgrade to version 1.8.22 or later. Users of LedgerSMB 1.7 or 1.9 are unaffected. As a workaround, administrators can configure Apache using the 'Header always edit' command in modheaders module or Nginx using the 'proxycookie_flags' command to add the Secure attribute at the network boundary (LedgerSMB Advisory).