ID

VAR-202003-0840


CVE

CVE-2019-17654


TITLE

FortiManager Vulnerability in inadequate validation of data reliability in

Trust: 0.8

sources: JVNDB: JVNDB-2019-015075

DESCRIPTION

An Insufficient Verification of Data Authenticity vulnerability in FortiManager 6.2.1, 6.2.0, 6.0.6 and below may allow an unauthenticated attacker to perform a Cross-Site WebSocket Hijacking (CSWSH) attack. FortiManager Exists in an inadequate validation of data reliability vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Fortinet FortiManager is a centralized network security management platform developed by Fortinet. The platform supports centralized management of any number of Fortinet devices, and can group devices into different management domains (ADOMs) to further simplify multi-device security deployment and management. A security vulnerability exists in Fortinet FortiManager versions 6.2.0 to 6.2.1 and versions 6.0.6 and earlier

Trust: 1.71

sources: NVD: CVE-2019-17654 // JVNDB: JVNDB-2019-015075 // VULHUB: VHN-149922

AFFECTED PRODUCTS

vendor:fortinetmodel:fortimanagerscope:eqversion:6.2.0

Trust: 1.8

vendor:fortinetmodel:fortimanagerscope:eqversion:6.2.1

Trust: 1.8

vendor:fortinetmodel:fortimanagerscope:lteversion:6.0.6

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:eqversion:6.0.6

Trust: 0.8

sources: JVNDB: JVNDB-2019-015075 // NVD: CVE-2019-17654

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-17654
value: HIGH

Trust: 1.0

NVD: JVNDB-2019-015075
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202002-789
value: HIGH

Trust: 0.6

VULHUB: VHN-149922
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-17654
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2019-015075
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-149922
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-17654
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2019-015075
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-149922 // JVNDB: JVNDB-2019-015075 // CNNVD: CNNVD-202002-789 // NVD: CVE-2019-17654

PROBLEMTYPE DATA

problemtype:CWE-345

Trust: 1.9

sources: VULHUB: VHN-149922 // JVNDB: JVNDB-2019-015075 // NVD: CVE-2019-17654

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-789

TYPE

data forgery

Trust: 0.6

sources: CNNVD: CNNVD-202002-789

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-015075

PATCH

title:FG-IR-19-191url:https://fortiguard.com/psirt/FG-IR-19-191

Trust: 0.8

title:Fortinet FortiManager Repair measures for data forgery problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=111188

Trust: 0.6

sources: JVNDB: JVNDB-2019-015075 // CNNVD: CNNVD-202002-789

EXTERNAL IDS

db:NVDid:CVE-2019-17654

Trust: 2.5

db:JVNDBid:JVNDB-2019-015075

Trust: 0.8

db:CNNVDid:CNNVD-202002-789

Trust: 0.7

db:AUSCERTid:ESB-2020.0507

Trust: 0.6

db:AUSCERTid:ESB-2020.0510

Trust: 0.6

db:VULHUBid:VHN-149922

Trust: 0.1

sources: VULHUB: VHN-149922 // JVNDB: JVNDB-2019-015075 // CNNVD: CNNVD-202002-789 // NVD: CVE-2019-17654

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-19-191

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-17654

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-17654

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2020.0507/

Trust: 0.6

url:https://vigilance.fr/vulnerability/fortimanager-information-disclosure-via-cross-site-websocket-hijacking-31602

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.0510/

Trust: 0.6

sources: VULHUB: VHN-149922 // JVNDB: JVNDB-2019-015075 // CNNVD: CNNVD-202002-789 // NVD: CVE-2019-17654

CREDITS

Independent research team Denis Kolegov, Maxim Gorbunov, Nikita Oleksov and Anton Nikolaev

Trust: 0.6

sources: CNNVD: CNNVD-202002-789

SOURCES

db:VULHUBid:VHN-149922
db:JVNDBid:JVNDB-2019-015075
db:CNNVDid:CNNVD-202002-789
db:NVDid:CVE-2019-17654

LAST UPDATE DATE

2024-08-14T15:22:45.686000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-149922date:2020-03-19T00:00:00
db:JVNDBid:JVNDB-2019-015075date:2020-04-03T00:00:00
db:CNNVDid:CNNVD-202002-789date:2020-03-24T00:00:00
db:NVDid:CVE-2019-17654date:2020-03-19T20:15:35.033

SOURCES RELEASE DATE

db:VULHUBid:VHN-149922date:2020-03-15T00:00:00
db:JVNDBid:JVNDB-2019-015075date:2020-04-03T00:00:00
db:CNNVDid:CNNVD-202002-789date:2020-02-14T00:00:00
db:NVDid:CVE-2019-17654date:2020-03-15T23:15:11.407