CVE-2021-45893: 
Homebrew vulnerability analysis and mitigation

An issue was discovered in Softwarebuero Zauner ARC 4.2.0.4 that involves Improper Handling of Case Sensitivity (CWE-178), which makes password guessing easier. The vulnerability was discovered on October 19, 2021, reported to the manufacturer on November 9, 2021, and publicly disclosed on April 1, 2022 (SYSS Advisory).

The vulnerability stems from the application's password handling mechanism where it converts passwords of application users to upper case before storing them in the database. This conversion is also applied to the password a user enters during login. The issue specifically affects application passwords stored in the table BENUTZER and the column PASSWORT, but not the passwords stored in the column TMPASSWORT in the same table. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) (NVD).

The vulnerability makes the application susceptible to password-guessing attacks, where an attacker only needs to try uppercase letters but not lowercase ones (or vice versa). Additionally, it may not be possible to use ZA|ARC in compliance with certain common password policies and a corporate environment (SYSS Advisory).

The manufacturer has confirmed that the vulnerability will not be fixed in ZA|ARC. Users are advised to upgrade to zaarc.next when it becomes available (SYSS Advisory).