Details of VAR-201404-0183

ID

VAR-201404-0183

CVE

CVE-2014-1956

TITLE

FortiGuard FortiWeb In CRLF Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-002343

DESCRIPTION

CRLF injection vulnerability in FortiGuard FortiWeb before 5.0.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. Fortinet Fortiweb is prone to multiple security vulnerabilities, including; 1. A cross-site scripting vulnerability 2. A security-bypass vulnerability 3. Fortinet Fortiweb 5.0.2 and prior are vulnerable. Fortinet FortiGuard FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc. Sensitive database content. CRLF injection vulnerability exists in Fortinet FortiGuard FortiWeb 5.0.2 and earlier versions

Trust: 1.98

sources: NVD: CVE-2014-1956 // JVNDB: JVNDB-2014-002343 // BID: 65660 // VULHUB: VHN-69895

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortiweb	scope:	lte	version:	5.0.2	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	eq	version:	5.0.2	Trust: 0.9
vendor:	fortinet	model:	fortiweb	scope:	lt	version:	5.0.3	Trust: 0.8
vendor:	fortinet	model:	fortiweb	scope:	eq	version:	4.4.7	Trust: 0.3
vendor:	fortinet	model:	fortiweb	scope:	ne	version:	5.0.3	Trust: 0.3

sources: BID: 65660 // JVNDB: JVNDB-2014-002343 // CNNVD: CNNVD-201404-604 // NVD: CVE-2014-1956

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-1956
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-1956
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201404-604
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-69895
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-1956
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	CVE-2014-1956
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-69895
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-69895 // JVNDB: JVNDB-2014-002343 // CNNVD: CNNVD-201404-604 // NVD: CVE-2014-1956

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-Other	Trust: 0.8

sources: JVNDB: JVNDB-2014-002343 // NVD: CVE-2014-1956

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201404-604

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201404-604

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-002343

PATCH

title:

FortiWeb Multiple Vulnerabilities

url:

http://www.fortiguard.com/advisory/FG-IR-13-009/

Trust: 0.8

sources: JVNDB: JVNDB-2014-002343

EXTERNAL IDS

db:	NVD	id:	CVE-2014-1956	Trust: 2.8
db:	JVNDB	id:	JVNDB-2014-002343	Trust: 0.8
db:	CNNVD	id:	CNNVD-201404-604	Trust: 0.7
db:	SECUNIA	id:	56981	Trust: 0.6
db:	BID	id:	65660	Trust: 0.3
db:	VULHUB	id:	VHN-69895	Trust: 0.1

sources: VULHUB: VHN-69895 // BID: 65660 // JVNDB: JVNDB-2014-002343 // CNNVD: CNNVD-201404-604 // NVD: CVE-2014-1956

REFERENCES

url:	http://www.fortiguard.com/advisory/fg-ir-13-009/	Trust: 2.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1956	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-1956	Trust: 0.8
url:	http://secunia.com/advisories/56981	Trust: 0.6
url:	http://www.fortinet.com/	Trust: 0.3

sources: VULHUB: VHN-69895 // BID: 65660 // JVNDB: JVNDB-2014-002343 // CNNVD: CNNVD-201404-604 // NVD: CVE-2014-1956

CREDITS

Robert van Hamburg of Intermax Security

Trust: 0.3

sources: BID: 65660

SOURCES

db:	VULHUB	id:	VHN-69895
db:	BID	id:	65660
db:	JVNDB	id:	JVNDB-2014-002343
db:	CNNVD	id:	CNNVD-201404-604
db:	NVD	id:	CVE-2014-1956

LAST UPDATE DATE

2024-08-14T14:21:08.757000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-69895	date:	2014-07-18T00:00:00
db:	BID	id:	65660	date:	2014-02-13T00:00:00
db:	JVNDB	id:	JVNDB-2014-002343	date:	2014-05-02T00:00:00
db:	CNNVD	id:	CNNVD-201404-604	date:	2014-05-06T00:00:00
db:	NVD	id:	CVE-2014-1956	date:	2014-07-18T18:38:07.713

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-69895	date:	2014-04-30T00:00:00
db:	BID	id:	65660	date:	2014-02-13T00:00:00
db:	JVNDB	id:	JVNDB-2014-002343	date:	2014-05-02T00:00:00
db:	CNNVD	id:	CNNVD-201404-604	date:	2014-04-30T00:00:00
db:	NVD	id:	CVE-2014-1956	date:	2014-04-30T14:22:06.203