CVE-2021-26091

Summary

A use of a cryptographically weak pseudo-random number generator vulnerability in the authenticator of the Identity Based Encryption service of FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to infer parts of users authentication tokens and reset their credentials.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiMail6.4.0 <= 6.4.4affected
FortinetFortiMail6.2.0 <= 6.2.9affected
FortinetFortiMail6.2.0 < 6.2.*affected

Weaknesses

  • CWE-338: Improper Access Control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References