Sign-up

ID

VAR-201711-0049


CVE

CVE-2017-14189


TITLE

Fortinet FortiWebManager Access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-011131

DESCRIPTION

An improper access control vulnerability in Fortinet FortiWebManager 5.8.0 allows anyone that can access the admin webUI to successfully log-in regardless the provided password. Fortinet FortiWebManager Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Fortinet FortiWebManager is prone to a security-bypass vulnerability. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks. FortiWebManager 5.8.0 is vulnerable; other versions may also be affected. Fortinet FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc., to ensure the security of web applications and protect sensitive database content. FortiWebManager is one such application for managing firewalls. An attacker could exploit this vulnerability to gain access to the administrator's web user interface

Trust: 2.07

sources: NVD: CVE-2017-14189 // JVNDB: JVNDB-2017-011131 // BID: 101953 // VULHUB: VHN-104886 // VULMON: CVE-2017-14189

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiweb managerscope:eqversion:5.8.0

Trust: 1.6

vendor:fortinetmodel:fortiwebmanagerscope:eqversion:5.8.0

Trust: 0.8

vendor:fortinetmodel:fortiwebmanagerscope:eqversion:5.8

Trust: 0.3

vendor:fortinetmodel:fortiwebmanagerscope:neversion:5.8.1

Trust: 0.3

sources: BID: 101953 // JVNDB: JVNDB-2017-011131 // CNNVD: CNNVD-201709-354 // NVD: CVE-2017-14189

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-14189
value: CRITICAL

Trust: 1.0

NVD: CVE-2017-14189
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201709-354
value: CRITICAL

Trust: 0.6

VULHUB: VHN-104886
value: HIGH

Trust: 0.1

VULMON: CVE-2017-14189
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2017-14189
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-104886
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-14189
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-104886 // VULMON: CVE-2017-14189 // JVNDB: JVNDB-2017-011131 // CNNVD: CNNVD-201709-354 // NVD: CVE-2017-14189

PROBLEMTYPE DATA

problemtype:CWE-521

Trust: 1.1

problemtype:CWE-284

Trust: 0.9

sources: VULHUB: VHN-104886 // JVNDB: JVNDB-2017-011131 // NVD: CVE-2017-14189

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201709-354

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201709-354

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-011131

PATCH
title:FG-IR-17-248url:https://fortiguard.com/psirt/FG-IR-17-248
Trust: 0.8
title:Fortinet FortiWebManager Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=100031
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-011131 // 
            
            
            
            CNNVD: CNNVD-201709-354

EXTERNAL IDS
db:NVDid:CVE-2017-14189
Trust: 2.9
db:BIDid:101953
Trust: 2.1
db:SECTRACKid:1039892
Trust: 1.8
db:JVNDBid:JVNDB-2017-011131
Trust: 0.8
db:CNNVDid:CNNVD-201709-354
Trust: 0.7
db:VULHUBid:VHN-104886
Trust: 0.1
db:VULMONid:CVE-2017-14189
Trust: 0.1
sources:
            
            
            VULHUB: VHN-104886 // 
            
            
            
            VULMON: CVE-2017-14189 // 
            
            
            
            BID: 101953 // 
            
            
            
            JVNDB: JVNDB-2017-011131 // 
            
            
            
            CNNVD: CNNVD-201709-354 // 
            
            
            
            NVD: CVE-2017-14189

REFERENCES
url:http://www.securityfocus.com/bid/101953
Trust: 1.8
url:https://fortiguard.com/advisory/fg-ir-17-248
Trust: 1.8
url:http://www.securitytracker.com/id/1039892
Trust: 1.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14189
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-14189
Trust: 0.8
url:http://www.fortinet.com/
Trust: 0.3
url:http://fortiguard.com/psirt/fg-ir-17-248
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/521.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULHUB: VHN-104886 // 
            
            
            
            VULMON: CVE-2017-14189 // 
            
            
            
            BID: 101953 // 
            
            
            
            JVNDB: JVNDB-2017-011131 // 
            
            
            
            CNNVD: CNNVD-201709-354 // 
            
            
            
            NVD: CVE-2017-14189

CREDITS
Abdulaziz Alrushaid of Saudi Aramco.
Trust: 0.3
sources:
            
            
            BID: 101953

SOURCES
db:VULHUBid:VHN-104886
db:VULMONid:CVE-2017-14189
db:BIDid:101953
db:JVNDBid:JVNDB-2017-011131
db:CNNVDid:CNNVD-201709-354
db:NVDid:CVE-2017-14189

LAST UPDATE DATE
2024-11-23T22:07:09.736000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-104886date:2019-10-03T00:00:00
db:VULMONid:CVE-2017-14189date:2019-10-03T00:00:00
db:BIDid:101953date:2017-12-19T22:00:00
db:JVNDBid:JVNDB-2017-011131date:2018-01-09T00:00:00
db:CNNVDid:CNNVD-201709-354date:2019-10-23T00:00:00
db:NVDid:CVE-2017-14189date:2024-11-21T03:12:19.597

SOURCES RELEASE DATE
db:VULHUBid:VHN-104886date:2017-11-29T00:00:00
db:VULMONid:CVE-2017-14189date:2017-11-29T00:00:00
db:BIDid:101953date:2017-11-24T00:00:00
db:JVNDBid:JVNDB-2017-011131date:2018-01-09T00:00:00
db:CNNVDid:CNNVD-201709-354date:2017-09-12T00:00:00
db:NVDid:CVE-2017-14189date:2017-11-29T19:29:00.320