CVE-2021-43074

EUVD-2021-30027

16.02.2023, 19:15

An improper verification of cryptographic signature vulnerability [CWE-347] in FortiWeb 6.4 all versions, 6.3.16 and below, 6.2 all versions, 6.1 all versions, 6.0 all versions; FortiOS 7.0.3 and below, 6.4.8 and below, 6.2 all versions, 6.0 all versions; FortiSwitch 7.0.3 and below, 6.4.10 and below, 6.2 all versions, 6.0 all versions; FortiProxy 7.0.1 and below, 2.0.7 and below, 1.2 all versions, 1.1 all versions, 1.0 all versions may allow an attacker to decrypt portions of the administrative session management cookie if able to intercept the latter.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
fortinet	CNA	4.1 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:U/RC:C

Base Score

CVSS 3.x

EPSS Score

Percentile: 39%

Affected Products (NVD)

Vendor	Product	Version
fortinet	fortiproxy	1.0.0 ≤ 𝑥 < 2.0.8
fortinet	fortiproxy	7.0.0 ≤ 𝑥 < 7.0.2
fortinet	fortiweb	6.0.0 ≤ 𝑥 < 6.3.17
fortinet	fortiweb	6.4.0 ≤ 𝑥 < 7.0.0
fortinet	fortios	6.0.0 ≤ 𝑥 < 6.4.9
fortinet	fortios	7.0.0 ≤ 𝑥 < 7.0.4
fortinet	fortiswitch	6.0.0 ≤ 𝑥 < 6.4.11
fortinet	fortiswitch	7.0.0 ≤ 𝑥 < 7.0.4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-347 - Improper Verification of Cryptographic Signature
The software does not verify, or incorrectly verifies, the cryptographic signature for data.

References

https://fortiguard.com/psirt/FG-IR-21-126