CVE-2021-44151
Summary
| CVE | CVE-2021-44151 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-12-13 04:15:00 UTC |
| Updated | 2023-08-08 14:22:00 UTC |
| Description | An issue was discovered in Reprise RLM 14.2. As the session cookies are small, an attacker can hijack any existing sessions by bruteforcing the 4 hex-character session cookie on the Windows version (the Linux version appears to have 8 characters). An attacker can obtain the static part of the cookie (cookie name) by first making a request to any page on the application (e.g., /goforms/menu) and saving the name of the cookie sent with the response. The attacker can then use the name of the cookie and try to request that same page, setting a random value for the cookie. If any user has an active session, the page should return with the authorized content, when a valid cookie value is hit. |
Risk And Classification
Problem Types: CWE-330
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Reprisesoftware | Reprise License Manager | 14.2 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Reprise License Manager 14.2 Session Hijacking ≈ Packet Storm | MISC | packetstormsecurity.com | |
| www.reprisesoftware.com/RELEASE_NOTES | CONFIRM | www.reprisesoftware.com | |
| License Administration Bundle Downloads: Reprise License Manager - RLM | MISC | reprisesoftware.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.