Cyber Resilience

CVE-2021-27764

High

Published: 06 May 2022

Published
06 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
EPSS Score 0.0011 28.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-27764 is a high-severity Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE-614) vulnerability in Hcltech Bigfix Webui. Its CVSS base score is 7.4 (High).

Operationally, ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Cookie without HTTPONLY flag set. NUMBER cookie(s) was set without Secure or HTTPOnly flags. The images show the cookie with the missing flag. (WebUI)

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

hcltech
bigfix webui
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-311 CWE-732

Privacy and security training stresses encryption of sensitive data, reducing missing encryption weaknesses.

addresses: CWE-732 CWE-311

Documenting and enforcing configuration settings ensures correct permission assignments for critical resources.

addresses: CWE-311 CWE-732

Privacy and security curricula stress encryption requirements, reducing missing encryption of sensitive data.

addresses: CWE-311 CWE-732

Monitoring detects missing encryption of sensitive data in storage or transit configurations.

addresses: CWE-311 CWE-732

Privacy and security considerations mandated across the SDLC make identification and protection of sensitive data (including encryption decisions) a required activity rather than an afterthought.

addresses: CWE-732

Procedures support proper permission assignment for critical resources through documented controls.

addresses: CWE-732

Attribute management for resources provides a mechanism to assign and maintain correct permissions based on security labels.

addresses: CWE-732

Prevents overly permissive assignments to critical resources by limiting to task needs.

References