CVE-2021-28411 – This vulnerability in RuoYi's CookieRememberMeM... (How to Fix)

Q: What is the severity of CVE-2021-28411?

CVE-2021-28411 has a CVSS score of 9.8 (CRITICAL). This vulnerability in RuoYi's CookieRememberMeManager allows remote attackers to escalate privileges by exploiting improper deserialization of remembered user identities. Any system running the affected RuoYi version with the remember-me feature enabled is vulnerable to authentication bypass and privilege escalation attacks.

📋 TL;DR

This vulnerability in RuoYi's CookieRememberMeManager allows remote attackers to escalate privileges by exploiting improper deserialization of remembered user identities. Any system running the affected RuoYi version with the remember-me feature enabled is vulnerable to authentication bypass and privilege escalation attacks.

💻 Affected Systems

Products:

lerry903 RuoYi

Versions: 3.4.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the remember-me authentication feature to be enabled, which is commonly used in web applications.

📦 What is this software?

Ruoyi by Ruoyi

View all CVEs affecting Ruoyi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with administrative access, allowing attackers to execute arbitrary code, access sensitive data, and modify system configurations.

🟠

Likely Case

Authentication bypass leading to unauthorized access to privileged functionality and data exposure.

🟢

If Mitigated

Limited impact with proper network segmentation and authentication controls in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in the getRememberedSerializedIdentity function which improperly handles serialized data, allowing privilege escalation through cookie manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 3.4.0

Vendor Advisory: https://github.com/lerry903/RuoYi/issues/20

Restart Required: Yes

Instructions:

1. Upgrade RuoYi to the latest version. 2. Verify the CookieRememberMeManager class has been updated. 3. Restart the application server.

🔧 Temporary Workarounds

Disable Remember-Me Feature

all

Temporarily disable the remember-me authentication functionality to prevent exploitation.

Modify application configuration to set remember-me feature to false

🧯 If You Can't Patch

Implement strict input validation for authentication cookies
Deploy web application firewall rules to detect and block suspicious authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check if running RuoYi version 3.4.0 and examine if CookieRememberMeManager class contains the vulnerable getRememberedSerializedIdentity function.

Check Version:

Check application configuration files or deployment manifests for RuoYi version information.

Verify Fix Applied:

Verify the application version is updated beyond 3.4.0 and test authentication flows with remember-me functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts
Multiple failed login attempts followed by successful privileged access
Suspicious cookie values in authentication logs

Network Indicators:

Unusual authentication requests with manipulated cookies
Requests to privileged endpoints from unexpected sources

SIEM Query:

source="web_app" AND (event_type="authentication" AND cookie_length>normal) OR (user_privilege_change AND source_ip=new)

📊 Metadata

CVE ID: CVE-2021-28411

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: August 11, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/lerry903/RuoYi/issues/20 Exploit,Issue Tracking
https://github.com/lerry903/RuoYi/issues/20 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28411, you might also want to check these: