CVE-2021-43074

2023-02-1619:15:11

CWE-347

[email protected]

web.nvd.nist.gov

fortiweb

fortios

fortiswitch

fortiproxy

vulnerability

cryptographic signature

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

4.6

Confidence

High

EPSS

0.001

Percentile

23.5%

JSON

An improper verification of cryptographic signature vulnerability [CWE-347] in FortiWeb 6.4 all versions, 6.3.16 and below, 6.2 all versions, 6.1 all versions, 6.0 all versions; FortiOS 7.0.3 and below, 6.4.8 and below, 6.2 all versions, 6.0 all versions; FortiSwitch 7.0.3 and below, 6.4.10 and below, 6.2 all versions, 6.0 all versions; FortiProxy 7.0.1 and below, 2.0.7 and below, 1.2 all versions, 1.1 all versions, 1.0 all versions may allow an attacker to decrypt portions of the administrative session management cookie if able to intercept the latter.

Affected configurations

Nvd

Node

fortinetfortiproxyRange1.0.0–2.0.8

fortinetfortiproxyRange7.0.0–7.0.2

fortinetfortiwebRange6.0.0–6.3.17

fortinetfortiwebRange6.4.0–7.0.0

fortinetfortiosRange6.0.0–6.4.9

fortinetfortiosRange7.0.0–7.0.4

fortinetfortiswitchRange6.0.0–6.4.11

fortinetfortiswitchRange7.0.0–7.0.4

VendorProductVersionCPE
fortinetfortiproxy*cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
fortinetfortiweb*cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
fortinetfortios*cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
fortinetfortiswitch*cpe:2.3:o:fortinet:fortiswitch:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fortinet	fortiproxy	*	cpe:2.3:a:fortinet:fortiproxy::::::::
fortinet	fortiweb	*	cpe:2.3:a:fortinet:fortiweb::::::::
fortinet	fortios	*	cpe:2.3:o:fortinet:fortios::::::::
fortinet	fortiswitch	*	cpe:2.3:o:fortinet:fortiswitch::::::::