CVE-2021-43074

16.02.2023, 19:15

An improper verification of cryptographic signature vulnerability [CWE-347] in FortiWeb 6.4 all versions, 6.3.16 and below, 6.2 all versions, 6.1 all versions, 6.0 all versions; FortiOS 7.0.3 and below, 6.4.8and below, 6.2 all versions, 6.0 all versions; FortiSwitch 7.0.3 and below, 6.4.10and below, 6.2 all versions, 6.0 all versions; FortiProxy 7.0.1and below, 2.0.7and below, 1.2 all versions, 1.1 all versions, 1.0 all versionsmay allow an attackerto decrypt portions of the administrative session management cookieif able to intercept the latter.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
fortinet	CNA	4.1 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:U/RC:C
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 30%

Vendor	Product	Version
fortinet	fortiproxy	1.0.0 ≤ 𝑥 < 2.0.8
fortinet	fortiproxy	7.0.0 ≤ 𝑥 < 7.0.2
fortinet	fortiweb	6.0.0 ≤ 𝑥 < 6.3.17
fortinet	fortiweb	6.4.0 ≤ 𝑥 < 7.0.0
fortinet	fortios	6.0.0 ≤ 𝑥 < 6.4.9
fortinet	fortios	7.0.0 ≤ 𝑥 < 7.0.4
fortinet	fortiswitch	6.0.0 ≤ 𝑥 < 6.4.11
fortinet	fortiswitch	7.0.0 ≤ 𝑥 < 7.0.4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-347 - Improper Verification of Cryptographic Signature
The software does not verify, or incorrectly verifies, the cryptographic signature for data.

References

https://fortiguard.com/psirt/FG-IR-21-126