CVE-2021-43074

Published: Feb 16, 2023Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

An improper verification of cryptographic signature vulnerability [CWE-347] in FortiWeb 6.4 all versions, 6.3.16 and below, 6.2 all versions, 6.1 all versions, 6.0 all versions; FortiOS 7.0.3 and below, 6.4.8 and below, 6.2 all versions, 6.0 all versions; FortiSwitch 7.0.3 and below, 6.4.10 and below, 6.2 all versions, 6.0 all versions; FortiProxy 7.0.1 and below, 2.0.7 and below, 1.2 all versions, 1.1 all versions, 1.0 all versions may allow an attacker to decrypt portions of the administrative session management cookie if able to intercept the latter.

Affected (8)

Products: Fortinet: Fortios, Fortiproxy, Fortiswitch, Fortiweb

4 products

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortios	From 6.0.0 to 6.4.9
Fortinet Fortios	From 7.0.0 to 7.0.4
Fortinet Fortiproxy	From 1.0.0 to 2.0.8
Fortinet Fortiproxy	From 7.0.0 to 7.0.2
Fortinet Fortiswitch	From 6.0.0 to 6.4.11
Fortinet Fortiswitch	From 7.0.0 to 7.0.4
Fortinet Fortiweb	From 6.0.0 to 6.3.17
Fortinet Fortiweb	From 6.4.0 to 7.0.0

Related CWEs

CWE-347

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (2)

https://fortiguard.com/psirt/FG-IR-21-126

Source: psirt@fortinet.com

Vendor Advisory

https://fortiguard.com/psirt/FG-IR-21-126

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.