Sign-up

ID

VAR-201803-0124


CVE

CVE-2017-14191


TITLE

Fortinet FortiWeb Access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-012980

DESCRIPTION

An Improper Access Control vulnerability in Fortinet FortiWeb 5.6.0 up to but not including 6.1.0 under "Signed Security Mode", allows attacker to bypass the signed user cookie protection by removing the FortiWeb own protection session cookie. Fortinet FortiWeb Contains an access control vulnerability.Information may be tampered with. Fortinet Fortiweb is prone to an access-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks. FortiWeb 5.6.0 and prior are vulnerable; other versions may also be affected. Fortinet FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc., to ensure the security of web applications and protect sensitive database content. An access control error vulnerability exists in Fortinet FortiWeb 5.6.0 and earlier versions

Trust: 1.98

sources: NVD: CVE-2017-14191 // JVNDB: JVNDB-2017-012980 // BID: 103430 // VULHUB: VHN-104889

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiwebscope:gteversion:5.6.0

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:ltversion:6.1.0

Trust: 1.0

vendor:fortinetmodel:fortiwebscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortiwebscope:eqversion:5.6

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.5.3

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.5.2

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.5.1

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.5

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.3.5

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.3.4

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.3.3

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.3.2

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.3.1

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.2.1

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.1

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.0.4

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.0.3

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.0.2

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.0.1

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.2.0

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.1.4

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.1.3

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.1.2

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.1.1

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.0.0

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.0

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:neversion:6.1

Trust: 0.3

sources: BID: 103430 // JVNDB: JVNDB-2017-012980 // NVD: CVE-2017-14191

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-14191
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-14191
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201803-726
value: MEDIUM

Trust: 0.6

VULHUB: VHN-104889
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-14191
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-104889
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-14191
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-104889 // JVNDB: JVNDB-2017-012980 // CNNVD: CNNVD-201803-726 // NVD: CVE-2017-14191

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-284

Trust: 0.9

sources: VULHUB: VHN-104889 // JVNDB: JVNDB-2017-012980 // NVD: CVE-2017-14191

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201803-726

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201803-726

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-012980

PATCH
title:FG-IR-17-279url:https://fortiguard.com/advisory/FG-IR-17-279
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2017-012980

EXTERNAL IDS
db:NVDid:CVE-2017-14191
Trust: 2.8
db:BIDid:103430
Trust: 2.0
db:JVNDBid:JVNDB-2017-012980
Trust: 0.8
db:CNNVDid:CNNVD-201803-726
Trust: 0.6
db:VULHUBid:VHN-104889
Trust: 0.1
sources:
            
            
            VULHUB: VHN-104889 // 
            
            
            
            BID: 103430 // 
            
            
            
            JVNDB: JVNDB-2017-012980 // 
            
            
            
            CNNVD: CNNVD-201803-726 // 
            
            
            
            NVD: CVE-2017-14191

REFERENCES
url:http://www.securityfocus.com/bid/103430
Trust: 2.3
url:https://fortiguard.com/advisory/fg-ir-17-279
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14191
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-14191
Trust: 0.8
url:http://www.fortinet.com/
Trust: 0.3
url:https://fortiguard.com/psirt/fg-ir-17-279
Trust: 0.3
sources:
            
            
            VULHUB: VHN-104889 // 
            
            
            
            BID: 103430 // 
            
            
            
            JVNDB: JVNDB-2017-012980 // 
            
            
            
            CNNVD: CNNVD-201803-726 // 
            
            
            
            NVD: CVE-2017-14191

CREDITS
Yavuz zdemir
Trust: 0.3
sources:
            
            
            BID: 103430

SOURCES
db:VULHUBid:VHN-104889
db:BIDid:103430
db:JVNDBid:JVNDB-2017-012980
db:CNNVDid:CNNVD-201803-726
db:NVDid:CVE-2017-14191

LAST UPDATE DATE
2024-08-14T15:39:21.515000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-104889date:2019-10-03T00:00:00
db:BIDid:103430date:2018-03-06T00:00:00
db:JVNDBid:JVNDB-2017-012980date:2018-05-15T00:00:00
db:CNNVDid:CNNVD-201803-726date:2019-10-23T00:00:00
db:NVDid:CVE-2017-14191date:2019-10-03T00:03:26.223

SOURCES RELEASE DATE
db:VULHUBid:VHN-104889date:2018-03-20T00:00:00
db:BIDid:103430date:2018-03-06T00:00:00
db:JVNDBid:JVNDB-2017-012980date:2018-05-15T00:00:00
db:CNNVDid:CNNVD-201803-726date:2018-03-21T00:00:00
db:NVDid:CVE-2017-14191date:2018-03-20T13:29:00.247