Mender blog

CVE-2021-35342 - useradm incorrect access control vulnerability

We recently discovered a vulnerability in Mender Enterprise, thanks to the security researcher Mubassir Kamdar, and we have now fixed it.

When the User Administration service was configured to cache the user's JWT token verification, the token wasn't fully invalidated on log out, making it possible to issue new API calls to the backend despite being logged out. The security issue affects Mender Enterprise 2.6.0 and 2.7.0, and we fixed it in Mender Enterprise 2.6.1 and 2.7.1. Open-source versions of Mender are not affected, as they do not include the caching features.

The security of the Mender product and our users is something we take very seriously. We will continue to look for, fix and responsibly disclose serious weaknesses in our product(s).

In the official public CVE registry, the issue's ID is CVE-2021-35342. If you have any questions or concerns, please get in touch with the Mender support if you have a support contract or email security@northern.tech.

Recent articles

Over-the-air update strategies for Raspberry Pi-based embedded systems

Over-the-air update strategies for Raspberry Pi-based embedded systems

Discover effective OTA update strategies for Raspberry Pi-based embedded systems using Mender, focusing on system-level and application-level updates for reliability and efficiency.
How OTA updates reduce automotive recalls: A cost-saving strategy for software-defined vehicles

How OTA updates reduce automotive recalls: A cost-saving strategy for software-defined vehicles

OTA updates help automotive manufacturers cut recall costs, prevent software-related defects, and protect brand reputation.
Mender Client 5.01 and 5.0.2 releases: Enhanced reliability and stability for production IoT deployments

Mender Client 5.01 and 5.0.2 releases: Enhanced reliability and stability for production IoT deployments

Learn more about the latest bug fixes and improvements to Mender with the release of Mender Client 5.0.2.
View more articles

Learn why leading companies choose Mender

Discover how Mender empowers both you and your customers with secure and reliable over-the-air updates for IoT devices. Focus on your product, and benefit from specialized OTA expertise and best practices.

 
sales-pipeline_295756365