First published: Fri Dec 10 2021(Updated: )
An issue was discovered on Digi TransPort Gateway devices through 5.2.13.4. They do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in cleartext over an HTTP session.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Digi Transport Wr11 Firmware | <6.0.0.0 | |
Digi Transport Wr11 | ||
Digi Transport Wr11 Xt Firmware | <6.0.0.0 | |
Digi Transport Wr11 Xt | ||
Digi Transport Wr21 Firmware | <6.0.0.0 | |
Digi TransPort WR21 | ||
Digi Transport Wr31 Firmware | <6.0.0.0 | |
Digi Transport Wr31 | ||
Digi Transport Wr41 Firmware | <6.0.0.0 | |
Digi Transport Wr41 | ||
Digi Transport Wr44 Firmware | <6.0.0.0 | |
Digi Transport Wr44 | =v2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-37189 is a vulnerability found on Digi TransPort Gateway devices through 5.2.13.4 where they do not set the Secure attribute for sensitive cookies in HTTPS sessions, potentially compromising the security of user data.
The severity of CVE-2021-37189 is high with a CVSS score of 7.5.
CVE-2021-37189 can be exploited by intercepting and reading sensitive cookies sent over an HTTP session, as the Secure attribute is not set.
The affected software for CVE-2021-37189 includes Digi Transport Wr11 Firmware, Digi Transport Wr11 Xt Firmware, Digi Transport Wr21 Firmware, Digi Transport Wr31 Firmware, Digi Transport Wr41 Firmware, and Digi Transport Wr44 Firmware.
To mitigate CVE-2021-37189, it is recommended to update Digi TransPort Gateway devices to version 6.0.0.0 or higher, where the Secure attribute is properly set for sensitive cookies.