CVE-2024-21754

Published: Jun 11, 2024Modified: Nov 21, 2024

4.4

Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Exploitability: 0.8 / Impact: 3.6

Source: NVD

Description

A use of password hash with insufficient computational effort vulnerability [CWE-916] affecting FortiOS version 7.4.3 and below, 7.2 all versions, 7.0 all versions, 6.4 all versions and FortiProxy version 7.4.2 and below, 7.2 all versions, 7.0 all versions, 2.0 all versions may allow a privileged attacker with super-admin profile and CLI access to decrypting the backup file.

Affected (8)

Products: Fortinet: Fortios, Fortiproxy

Fortinet

2 products

Fortios

Fortiproxy

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortios	From 6.4.0 to 6.4.15
Fortinet Fortios	From 7.0.0 to 7.0.15
Fortinet Fortios	From 7.2.0 to 7.2.9
Fortinet Fortios	From 7.4.0 to 7.4.4
Fortinet Fortiproxy	From 2.0.0 to 2.0.14
Fortinet Fortiproxy	From 7.0.0 to 7.0.18
Fortinet Fortiproxy	From 7.2.0 to 7.2.11
Fortinet Fortiproxy	From 7.4.0 to 7.4.3

Related CWEs

CWE-916

Use of Password Hash With Insufficient Computational Effort

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

References (2)

https://fortiguard.fortinet.com/psirt/FG-IR-23-423

Source: psirt@fortinet.com

Vendor Advisory

https://fortiguard.fortinet.com/psirt/FG-IR-23-423

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.