CVE-2021-41025

Published: Dec 8, 2021Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6.4.1, 6.4.0, 6.3.0 through 6.3.15, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 thorugh 6.0.7, including an instance of concurrent execution using shared resource with improper synchronization and one of authentication bypass by capture-replay, may allow a remote unauthenticated attacker to circumvent the authentication process and authenticate as a legitimate cluster peer.

Affected (9)

Products: Fortinet: Fortiweb

Fortinet

1 product

Fortiweb

Configuration A

9 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortiweb	From 6.0.0 to 6.0.7
Fortinet Fortiweb	From 6.2.0 to 6.2.6
Fortinet Fortiweb	From 6.3.0 to 6.3.15
Fortinet Fortiweb	Version 6.1.0
Fortinet Fortiweb	Version 6.1.1
Fortinet Fortiweb	Version 6.1.2
Fortinet Fortiweb	Version 6.4.0
Fortinet Fortiweb	Version 6.4.1
Fortinet Fortiweb	Version 6.4.2

Related CWEs

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References (2)

https://fortiguard.com/advisory/FG-IR-21-130

Source: psirt@fortinet.com

PatchVendor Advisory

https://fortiguard.com/advisory/FG-IR-21-130

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.