Sign-up

ID

VAR-202003-0840


CVE

CVE-2019-17654


TITLE

FortiManager Vulnerability in inadequate validation of data reliability in

Trust: 0.8

sources: JVNDB: JVNDB-2019-015075

DESCRIPTION

An Insufficient Verification of Data Authenticity vulnerability in FortiManager 6.2.1, 6.2.0, 6.0.6 and below may allow an unauthenticated attacker to perform a Cross-Site WebSocket Hijacking (CSWSH) attack. FortiManager Exists in an inadequate validation of data reliability vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Fortinet FortiManager is a centralized network security management platform developed by Fortinet. The platform supports centralized management of any number of Fortinet devices, and can group devices into different management domains (ADOMs) to further simplify multi-device security deployment and management. A security vulnerability exists in Fortinet FortiManager versions 6.2.0 to 6.2.1 and versions 6.0.6 and earlier

Trust: 1.71

sources: NVD: CVE-2019-17654 // JVNDB: JVNDB-2019-015075 // VULHUB: VHN-149922

AFFECTED PRODUCTS

vendor:fortinetmodel:fortimanagerscope:eqversion:6.2.0

Trust: 1.8

vendor:fortinetmodel:fortimanagerscope:eqversion:6.2.1

Trust: 1.8

vendor:fortinetmodel:fortimanagerscope:lteversion:6.0.6

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:eqversion:6.0.6

Trust: 0.8

sources: JVNDB: JVNDB-2019-015075 // NVD: CVE-2019-17654

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-17654
value: HIGH

Trust: 1.0

NVD: JVNDB-2019-015075
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202002-789
value: HIGH

Trust: 0.6

VULHUB: VHN-149922
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-17654
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2019-015075
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-149922
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-17654
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2019-015075
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-149922 // JVNDB: JVNDB-2019-015075 // CNNVD: CNNVD-202002-789 // NVD: CVE-2019-17654

PROBLEMTYPE DATA

problemtype:CWE-345

Trust: 1.9

sources: VULHUB: VHN-149922 // JVNDB: JVNDB-2019-015075 // NVD: CVE-2019-17654

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-789

TYPE

data forgery

Trust: 0.6

sources: CNNVD: CNNVD-202002-789

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-015075

PATCH
title:FG-IR-19-191url:https://fortiguard.com/psirt/FG-IR-19-191
Trust: 0.8
title:Fortinet FortiManager Repair measures for data forgery problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=111188
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-015075 // 
            
            
            
            CNNVD: CNNVD-202002-789

EXTERNAL IDS
db:NVDid:CVE-2019-17654
Trust: 2.5
db:JVNDBid:JVNDB-2019-015075
Trust: 0.8
db:CNNVDid:CNNVD-202002-789
Trust: 0.7
db:AUSCERTid:ESB-2020.0507
Trust: 0.6
db:AUSCERTid:ESB-2020.0510
Trust: 0.6
db:VULHUBid:VHN-149922
Trust: 0.1
sources:
            
            
            VULHUB: VHN-149922 // 
            
            
            
            JVNDB: JVNDB-2019-015075 // 
            
            
            
            CNNVD: CNNVD-202002-789 // 
            
            
            
            NVD: CVE-2019-17654

REFERENCES
url:https://fortiguard.com/psirt/fg-ir-19-191
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-17654
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-17654
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2020.0507/
Trust: 0.6
url:https://vigilance.fr/vulnerability/fortimanager-information-disclosure-via-cross-site-websocket-hijacking-31602
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.0510/
Trust: 0.6
sources:
            
            
            VULHUB: VHN-149922 // 
            
            
            
            JVNDB: JVNDB-2019-015075 // 
            
            
            
            CNNVD: CNNVD-202002-789 // 
            
            
            
            NVD: CVE-2019-17654

CREDITS
Independent research team Denis Kolegov, Maxim Gorbunov, Nikita Oleksov and Anton Nikolaev
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-202002-789

SOURCES
db:VULHUBid:VHN-149922
db:JVNDBid:JVNDB-2019-015075
db:CNNVDid:CNNVD-202002-789
db:NVDid:CVE-2019-17654

LAST UPDATE DATE
2024-08-14T15:22:45.686000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-149922date:2020-03-19T00:00:00
db:JVNDBid:JVNDB-2019-015075date:2020-04-03T00:00:00
db:CNNVDid:CNNVD-202002-789date:2020-03-24T00:00:00
db:NVDid:CVE-2019-17654date:2020-03-19T20:15:35.033

SOURCES RELEASE DATE
db:VULHUBid:VHN-149922date:2020-03-15T00:00:00
db:JVNDBid:JVNDB-2019-015075date:2020-04-03T00:00:00
db:CNNVDid:CNNVD-202002-789date:2020-02-14T00:00:00
db:NVDid:CVE-2019-17654date:2020-03-15T23:15:11.407