PT-2021-18575 · Agenzia Delle Entrate · Agenzia Delle Entrate Desktop Telematico

Mattia Furlani

Published

2021-05-10

Updated

2021-05-19

CVE-2021-3003

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Agenzia delle Entrate Desktop Telematico version 1.0.0

Description The issue allows man-in-the-middle attackers to spoof product updates because it contacts the jws.agenziaentrate.it server over cleartext HTTP.

Recommendations For version 1.0.0, consider disabling the cleartext HTTP connection to the jws.agenziaentrate.it server as a temporary workaround until a patch is available. Restrict access to the server to minimize the risk of exploitation. Avoid using the cleartext HTTP protocol for product updates until the issue is resolved.

Exploit

Fix

Cleartext Transmission of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-319

Related Identifiers

CVE-2021-3003

Affected Products

Agenzia Delle Entrate Desktop Telematico

PT-2021-18575 · Agenzia Delle Entrate · Agenzia Delle Entrate Desktop Telematico

CVE-2021-3003

Weakness Enumeration

Related Identifiers

Affected Products

References · 4