CVE-2021-36190

EUVD-2021-22811
A unintended proxy or intermediary ('confused deputy') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows an unauthenticated attacker to access protected hosts via crafted HTTP requests.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
ADJACENT_NETWORK
LOW
LOW
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
fortinetCNA
5.5 MEDIUM
ADJACENT_NETWORK
LOW
LOW
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C
Base Score
CVSS 3.x
EPSS Score
Percentile: 65%
Affected Products (NVD)
VendorProductVersion
fortinetfortiweb
6.0.0 ≤
𝑥
≤ 6.0.7
fortinetfortiweb
6.2.0 ≤
𝑥
≤ 6.2.6
fortinetfortiweb
6.3.0 ≤
𝑥
≤ 6.3.15
fortinetfortiweb
6.1.0
fortinetfortiweb
6.1.1
fortinetfortiweb
6.1.2
fortinetfortiweb
6.4.0
fortinetfortiweb
6.4.1
𝑥
= Vulnerable software versions
References
https://fortiguard.com/advisory/FG-IR-21-123
https://fortiguard.com/advisory/FG-IR-21-123