CVE-2021-45894: 
Homebrew vulnerability analysis and mitigation

An issue was discovered in Softwarebuero Zauner ARC 4.2.0.4 that involves Cleartext Transmission of Sensitive Information. The vulnerability was discovered on October 19, 2021, reported to the manufacturer on November 9, 2021, and publicly disclosed on April 1, 2022. The affected software is ZA|ARC, which is used for archiving digital tachographs (SYSS Advisory).

The vulnerability occurs due to the use of an unencrypted database connection between the ZA|ARC client application and database servers (such as Firebird, MS SQL, or Oracle). When using a Firebird database, the network communication between the client application and the database server is transmitted in cleartext. This vulnerability has been assigned CWE-319 (Cleartext Transmission of Sensitive Information) and has a CVSS v3.1 Base Score of 5.9 MEDIUM (Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) (NVD).

The vulnerability only affects networked installations where the ZA|ARC client application runs on a different system from the database server. An attacker who successfully exploits this vulnerability could gain access to database credentials, application credentials, and all data stored or viewed in the application through machine-in-the-middle attacks (SYSS Advisory).

The manufacturer has indicated that this issue will not be fixed in ZA|ARC. Users are advised to upgrade to zaarc.next when it becomes available. For single-user installations where only localhost is involved in network traffic, the vulnerability is not exploitable (SYSS Advisory).