Details of VAR-202101-0500

ID

VAR-202101-0500

CVE

CVE-2020-29015

TITLE

FortiWeb In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-015414

DESCRIPTION

A blind SQL injection in the user interface of FortiWeb 6.3.0 through 6.3.7 and version before 6.2.4 may allow an unauthenticated, remote attacker to execute arbitrary SQL queries or commands by sending a request with a crafted Authorization header containing a malicious SQL statement. FortiWeb Has SQL An injection vulnerability exists.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Fortinet FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc., to ensure the security of web applications and protect sensitive database content

Trust: 1.8

sources: NVD: CVE-2020-29015 // JVNDB: JVNDB-2020-015414 // VULHUB: VHN-375142 // VULMON: CVE-2020-29015

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortiweb	scope:	lt	version:	6.2.4	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	lte	version:	6.3.7	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	gte	version:	6.3.0	Trust: 1.0
vendor:	フォーティネット	model:	fortiweb	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortiweb	scope:	eq	version:	6.2.4	Trust: 0.8
vendor:	フォーティネット	model:	fortiweb	scope:	eq	version:	6.3.0 to 6.3.7	Trust: 0.8

sources: JVNDB: JVNDB-2020-015414 // NVD: CVE-2020-29015

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-29015
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2020-29015
value:	CRITICAL
Trust: 0.8
VULHUB:	VHN-375142
value:	HIGH
Trust: 0.1
VULMON:	CVE-2020-29015
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2020-29015
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-375142
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-29015
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2020-29015
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-375142 // VULMON: CVE-2020-29015 // JVNDB: JVNDB-2020-015414 // NVD: CVE-2020-29015

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.1
problemtype:	SQL injection (CWE-89) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-375142 // JVNDB: JVNDB-2020-015414 // NVD: CVE-2020-29015

PATCH

title:	FG-IR-20-124	url:	https://www.fortiguard.com/psirt/FG-IR-20-124	Trust: 0.8
title:	BleepingComputer	url:	https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-vulnerabilities-in-ssl-vpn-and-web-firewall/	Trust: 0.1

sources: VULMON: CVE-2020-29015 // JVNDB: JVNDB-2020-015414

EXTERNAL IDS

db:	NVD	id:	CVE-2020-29015	Trust: 2.0
db:	JVNDB	id:	JVNDB-2020-015414	Trust: 0.8
db:	VULHUB	id:	VHN-375142	Trust: 0.1
db:	VULMON	id:	CVE-2020-29015	Trust: 0.1

sources: VULHUB: VHN-375142 // VULMON: CVE-2020-29015 // JVNDB: JVNDB-2020-015414 // NVD: CVE-2020-29015

REFERENCES

url:	https://www.fortiguard.com/psirt/fg-ir-20-124	Trust: 1.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-29015	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/89.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-vulnerabilities-in-ssl-vpn-and-web-firewall/	Trust: 0.1
url:	https://www.fortiguard.com/psirt/%20fg-ir-20-124	Trust: 0.1

sources: VULHUB: VHN-375142 // VULMON: CVE-2020-29015 // JVNDB: JVNDB-2020-015414 // NVD: CVE-2020-29015

SOURCES

db:	VULHUB	id:	VHN-375142
db:	VULMON	id:	CVE-2020-29015
db:	JVNDB	id:	JVNDB-2020-015414
db:	NVD	id:	CVE-2020-29015

LAST UPDATE DATE

2024-08-14T15:17:21.664000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-375142	date:	2021-01-20T00:00:00
db:	VULMON	id:	CVE-2020-29015	date:	2021-01-20T00:00:00
db:	JVNDB	id:	JVNDB-2020-015414	date:	2021-09-22T06:11:00
db:	NVD	id:	CVE-2020-29015	date:	2021-01-20T20:59:04.870

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-375142	date:	2021-01-14T00:00:00
db:	VULMON	id:	CVE-2020-29015	date:	2021-01-14T00:00:00
db:	JVNDB	id:	JVNDB-2020-015414	date:	2021-09-22T00:00:00
db:	NVD	id:	CVE-2020-29015	date:	2021-01-14T16:15:17.883