Login Sign Up

CVE-2021-3131

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in 1C:Enterprise 8 web server exposes base64-encoded credentials in URL parameters, allowing attackers to intercept authentication data. It affects all organizations using vulnerable versions of 1C:Enterprise 8 web servers, particularly those with internet-facing deployments.

💻 Affected Systems

Products:
  • 1C:Enterprise 8
Versions: All versions before 8.3.17.1851
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects web server component of 1C:Enterprise 8 deployments using HTTP/HTTPS interfaces.

📦 What is this software?

1c\ by 1c

View all CVEs affecting 1c\ →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers intercept credentials and gain unauthorized access to sensitive business data, financial systems, or administrative functions, potentially leading to data theft, system compromise, or business disruption.

🟠

Likely Case

Credential harvesting leading to unauthorized access to business applications and data stored in 1C:Enterprise systems.

🟢

If Mitigated

Limited impact due to network segmentation, credential rotation, and monitoring preventing successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to intercept traffic or access to logs containing URLs. Public proof-of-concept demonstrates credential extraction.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.3.17.1851 and later

Vendor Advisory: https://releases.1c.ru/

Restart Required: Yes

Instructions:

1. Download and install 1C:Enterprise 8 version 8.3.17.1851 or later from official vendor sources. 2. Stop all 1C:Enterprise services. 3. Apply the update. 4. Restart services and verify functionality.

🔧 Temporary Workarounds

Network Traffic Encryption Enforcement

all

Enforce HTTPS-only connections to prevent credential interception in transit

Configure web server to redirect all HTTP to HTTPS
Disable HTTP protocol if not required

Web Application Firewall Rules

all

Block URLs containing 'creds' parameter patterns

WAF rule: deny requests containing 'creds=' in URL

🧯 If You Can't Patch

  • Implement network segmentation to isolate 1C:Enterprise servers from untrusted networks
  • Deploy comprehensive monitoring for URL parameter logging and credential exposure patterns

🔍 How to Verify

Check if Vulnerable:

Check if web server URLs contain 'creds=' parameter with base64 data during authentication requests. Monitor network traffic or logs for this pattern.

Check Version:

Check 1C:Enterprise About dialog or consult administration console for version information

Verify Fix Applied:

Verify version is 8.3.17.1851 or later and confirm 'creds' parameter no longer appears in authentication URLs.

📡 Detection & Monitoring

Log Indicators:

  • URLs containing 'creds=' parameter in web server logs
  • Base64-encoded strings in URL parameters of authentication requests

Network Indicators:

  • HTTP/HTTPS requests with 'creds=' parameter in URLs
  • Unusual authentication patterns from unexpected sources

SIEM Query:

source="web_server_logs" AND url="*creds=*"

📊 Metadata

CVE ID: CVE-2021-3131
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-326
Published: January 13, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3131, you might also want to check these:

CVE-2021-42216 9.8

CVE-2021-42216 is a critical cryptographic vulnerability in AnonAddy email forwarding service that a...

Same vulnerability type (CWE-326)
CVE-2020-14517 9.8

CVE-2020-14517 is a critical vulnerability in CodeMeter's protocol encryption that can be easily bro...

Same vulnerability type (CWE-326)
CVE-2025-7398 9.1

Brocade ASCG versions before 3.3.0 use medium-strength cryptography algorithms on internal ports 900...

Same vulnerability type (CWE-326)