CVE-2021-43074

Summary

An improper verification of cryptographic signature vulnerability [CWE-347] in FortiWeb 6.4 all versions, 6.3.16 and below, 6.2 all versions, 6.1 all versions, 6.0 all versions; FortiOS 7.0.3 and below, 6.4.8 and below, 6.2 all versions, 6.0 all versions; FortiSwitch 7.0.3 and below, 6.4.10 and below, 6.2 all versions, 6.0 all versions; FortiProxy 7.0.1 and below, 2.0.7 and below, 1.2 all versions, 1.1 all versions, 1.0 all versions may allow an attacker to decrypt portions of the administrative session management cookie if able to intercept the latter.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiSwitch7.0.0 <= 7.0.3affected
FortinetFortiSwitch6.4.0 <= 6.4.10affected
FortinetFortiSwitch6.2.0 <= 6.2.7affected
FortinetFortiSwitch6.0.0 <= 6.0.7affected
FortinetFortiWeb6.4.0 <= 6.4.2affected
FortinetFortiWeb6.3.0 <= 6.3.16affected
FortinetFortiWeb6.2.0 <= 6.2.7affected
FortinetFortiWeb6.1.0 <= 6.1.3affected
FortinetFortiWeb6.0.0 <= 6.0.8affected
FortinetFortiProxy7.0.0 <= 7.0.1affected
FortinetFortiProxy2.0.0 <= 2.0.7affected
FortinetFortiProxy1.2.0 <= 1.2.13affected
FortinetFortiProxy1.1.0 <= 1.1.6affected
FortinetFortiProxy1.0.0 <= 1.0.7affected
FortinetFortiOS7.0.0 <= 7.0.3affected
FortinetFortiOS6.4.0 <= 6.4.8affected
FortinetFortiOS6.2.0 <= 6.2.12affected
FortinetFortiOS6.0.0 <= 6.0.16affected

Weaknesses

  • CWE-347: Information disclosure

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References