CVE-2021-33982 – This vulnerability allows attackers to reuse, s... (How to Fix)

Q: What is the severity of CVE-2021-33982?

CVE-2021-33982 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to reuse, spoof, or steal user and admin sessions in the Fish | Hunt FL iOS app due to insufficient session expiration. Users of version 3.8.0 and earlier are affected, potentially compromising their accounts and administrative functions.

📋 TL;DR

This vulnerability allows attackers to reuse, spoof, or steal user and admin sessions in the Fish | Hunt FL iOS app due to insufficient session expiration. Users of version 3.8.0 and earlier are affected, potentially compromising their accounts and administrative functions.

💻 Affected Systems

Products:

Fish | Hunt FL iOS app

Versions: 3.8.0 and earlier

Operating Systems: iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the iOS mobile application version specified.

📦 What is this software?

Fish \| Hunt Fl by Myfwc

View all CVEs affecting Fish \| Hunt Fl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative privileges, access sensitive user data, modify app configurations, or perform unauthorized actions on behalf of legitimate users.

🟠

Likely Case

Attackers hijack user sessions to access personal information, location data, or perform unauthorized app actions.

🟢

If Mitigated

Limited impact with proper session management, but still poses authentication bypass risks.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires session token interception or capture, but techniques are well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 3.8.0

Vendor Advisory: Not publicly available

Restart Required: Yes

Instructions:

1. Update the Fish | Hunt FL app via the Apple App Store. 2. Ensure you're running a version newer than 3.8.0. 3. Restart the app after update.

🔧 Temporary Workarounds

Force logout and re-authentication

all

Manually log out all users and require fresh authentication to invalidate potentially compromised sessions.

Network segmentation and monitoring

all

Monitor for unusual session patterns and segment app traffic to detect session hijacking attempts.

🧯 If You Can't Patch

Discontinue use of vulnerable app versions and switch to alternative applications.
Implement strict network monitoring for session token anomalies and unauthorized access patterns.

🔍 How to Verify

Check if Vulnerable:

Check app version in iOS Settings > General > iPhone Storage > Fish | Hunt FL. If version is 3.8.0 or earlier, you are vulnerable.

Check Version:

Not applicable - check via iOS settings interface

Verify Fix Applied:

Confirm app version is newer than 3.8.0 in iOS settings and test that sessions properly expire after logout or timeout.

📡 Detection & Monitoring

Log Indicators:

Multiple sessions from same user with different tokens
Session tokens used after logout events
Admin actions from non-admin IP addresses

Network Indicators:

Unusual session token reuse patterns
Session tokens transmitted over unencrypted channels

SIEM Query:

Not applicable for mobile app without centralized logging

📊 Metadata

CVE ID: CVE-2021-33982

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-613

Published: September 8, 2021

Last Updated: November 21, 2024

🔗 References

https://gist.github.com/p4lsec/1f024d96b44ea733cdae0605c7ce8a49 Third Party Advisory
https://gist.github.com/p4lsec/1f024d96b44ea733cdae0605c7ce8a49 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33982, you might also want to check these: