CVE-2021-41553

Name of the Vulnerable Software and Affected Versions ARCHIBUS Web Central versions 21.3.3.815 and earlier

Description The issue arises from the Web Application in /archibus/login.axvw, where a session token could be assigned that is already in use by another user. This allowed access to the application without knowing the user's credentials. It was also possible to set the value of the session token client-side by making an unauthenticated GET Request to the Home Page and adding an arbitrary value to the JSESSIONID field. The application did not assign a new token after login, continuing to use the inserted one as the session identifier. This vulnerability only affects products that are no longer supported by the maintainer.

Recommendations For ARCHIBUS Web Central versions 21.3.3.815 and earlier, update to a version newer than 21.3, such as version 26, to resolve the issue. As a temporary workaround, consider restricting access to the /archibus/login.axvw endpoint to minimize the risk of exploitation. Avoid using the JSESSIONID field in the affected API endpoint until the issue is resolved.