CVE-2021-43074

16.02.2023, 19:15

An improper verification of cryptographic signature vulnerability [CWE-347] in FortiWeb 6.4 all versions, 6.3.16 and below, 6.2 all versions, 6.1 all versions, 6.0 all versions; FortiOS 7.0.3 and below, 6.4.8 and below, 6.2 all versions, 6.0 all versions; FortiSwitch 7.0.3 and below, 6.4.10 and below, 6.2 all versions, 6.0 all versions; FortiProxy 7.0.1 and below, 2.0.7 and below, 1.2 all versions, 1.1 all versions, 1.0 all versions may allow an attacker to decrypt portions of the administrative session management cookie if able to intercept the latter.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
fortinet	fortiproxy	1.0.0 ≤ 𝑥 < 2.0.8
fortinet	fortiproxy	7.0.0 ≤ 𝑥 < 7.0.2
fortinet	fortiweb	6.0.0 ≤ 𝑥 < 6.3.17
fortinet	fortiweb	6.4.0 ≤ 𝑥 < 7.0.0
fortinet	fortios	6.0.0 ≤ 𝑥 < 6.4.9
fortinet	fortios	7.0.0 ≤ 𝑥 < 7.0.4
fortinet	fortiswitch	6.0.0 ≤ 𝑥 < 6.4.11
fortinet	fortiswitch	7.0.0 ≤ 𝑥 < 7.0.4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-347 - Improper Verification of Cryptographic Signature
The software does not verify, or incorrectly verifies, the cryptographic signature for data.

References

https://fortiguard.com/psirt/FG-IR-21-126