CVE-2021-36170

Published: Oct 6, 2021Modified: Nov 21, 2024

3.2

Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Exploitability: 1.5 / Impact: 1.4

Source: NVD

Description

An information disclosure vulnerability [CWE-200] in FortiAnalyzerVM and FortiManagerVM versions 7.0.0 and 6.4.6 and below may allow an authenticated attacker to read the FortiCloud credentials which were used to activate the trial license in cleartext.

Affected (4)

Products: Fortinet: Fortianalyzer, Fortimanager

2 products

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortianalyzer	Before 6.4.7
Fortinet Fortianalyzer	From 7.0.0 to 7.0.1
Fortinet Fortimanager	Before 6.4.7
Fortinet Fortimanager	From 7.0.0 to 7.0.1

Related CWEs

Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

References (2)

https://fortiguard.com/advisory/FG-IR-21-112

Source: psirt@fortinet.com

Vendor Advisory

https://fortiguard.com/advisory/FG-IR-21-112

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.