Missing Secure Flag From SSL Cookie
CVE-2021-35236

3.1LOW

Key Information:

Vendor: Solarwinds
Status: Kiwi Syslog Server
Vendor: CVE Published:; 14 October 2021

Summary

The Secure flag is not set in the SSL Cookie of Kiwi Syslog Server 9.7.2 and previous versions. The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP, there is a potential for the cookie can be sent in clear text.

Affected Version(s)

Kiwi Syslog Server 9.7.2 and Previous Versions < 9.8

References

https://documentation.solarwinds.com/en/success_center/ks...

x_refsource_MISC

https://www.solarwinds.com/trust-center/security-advisori...

x_refsource_MISC

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Oct 14, 2021
Vulnerability Reserved
Jun 22, 2021