Portal Portal Forum Forum Devolutions Force Devolutions Force Devolutions Hub Business Devolutions Hub Business Devolutions Hub Personal Devolutions Hub Personal Download RDM RDM Workspace Workspace Launcher Launcher

Security & Compliance

Security & Compliance Reporting a Security Issue Advisories

DEVO-2021-0005

Summary

A vulnerability was fixed were private key were returned unencrypted by the connections/partial endpoint.

Affected Products

Devolutions Server 2021.1.17 and earlier.
Devolutions Server 2020.3.20 (LTS) and earlier.

Change Log

Initial Publication - 2021-06-30 Added CVE - 2021-07-13

Severity

Low

Product

Devolutions Server

Fix Version

2021.1.18, 2020.3.21 (LTS)

Private key returned unencrypted in connections/partial endpoint (CVE-2021-36382)

Description

Private keys are returned by the connections/partial endpoint without being encrypted. This could lead to data exposure for installations that do not have TLS enabled.

Remediation and Workarounds

Update to Devolutions Server 2021.1.18 or higher.
Update to Devolutions Server LTS 2020.3.21 or higher.

This issue is completely mitigated when Devolutions Server is configured to use TLS. The confidentiality of private keys can also be protected by setting a strong password on them.

Severity

Low - CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Affected Products

Devolutions Server 2021.1.17 and earlier.
Devolutions Server LTS 2020.3.20 and earlier.

CVE(s)

CVE-2021-36382