Mender blog
CVE

CVE-2021-35342 - useradm incorrect access control vulnerability

| 1 min read

We recently discovered a vulnerability in Mender Enterprise, thanks to the security researcher Mubassir Kamdar, and we have now fixed it.

When the User Administration service was configured to cache the user's JWT token verification, the token wasn't fully invalidated on log out, making it possible to issue new API calls to the backend despite being logged out. The security issue affects Mender Enterprise 2.6.0 and 2.7.0, and we fixed it in Mender Enterprise 2.6.1 and 2.7.1. Open-source versions of Mender are not affected, as they do not include the caching features.

The security of the Mender product and our users is something we take very seriously. We will continue to look for, fix and responsibly disclose serious weaknesses in our product(s).

In the official public CVE registry, the issue's ID is CVE-2021-35342. If you have any questions or concerns, please get in touch with the Mender support if you have a support contract or email security@northern.tech.
CVE

Recent articles

IOT & OTA
The struggle to reach global markets for medical device manufacturers: The importance of international compliance

The struggle to reach global markets for medical device manufacturers: The importance of international compliance

Navigating global regulatory compliance is crucial for medical device manufacturers. Learn strategies for documentation, software updates, and post-market surveillance to ensure international success and patient safety.
| 5 min read
IOT & OTA
The differences between the US FDA’s device approval process and the EU’s medical device regulation (MDR): An essential dual-compliance framework for global manufacturers

The differences between the US FDA’s device approval process and the EU’s medical device regulation (MDR): An essential dual-compliance framework for global manufacturers

Explore the key differences between the US FDA and EU MDR approval processes for medical devices, essential for global manufacturers navigating dual compliance.
| 7 min read
events
Why OTA updates are now mission critical for future-proofed device lifecycle management

Why OTA updates are now mission critical for future-proofed device lifecycle management

Discover why Over-The-Air (OTA) updates are essential for future-proofing IoT device lifecycle management, ensuring security, compliance, and continuous improvement in an evolving technological landscape.
| 6 min read
View more articles

Learn why leading companies choose Mender

Discover how Mender empowers both you and your customers with secure and reliable over-the-air updates for IoT devices. Focus on your product, and benefit from specialized OTA expertise and best practices.

Why Mender
 
sales-pipeline_295756365