Details of VAR-202103-0560

ID

VAR-202103-0560

CVE

CVE-2021-22128

TITLE

FortiProxy Authentication Vulnerability in Microsoft

Trust: 0.8

sources: JVNDB: JVNDB-2021-004234

DESCRIPTION

An improper access control vulnerability in FortiProxy SSL VPN portal 2.0.0, 1.2.9 and below versions may allow an authenticated, remote attacker to access internal service such as the ZebOS Shell on the FortiProxy appliance through the Quick Connection functionality. FortiProxy Contains an improper authentication vulnerability.Information may be obtained. Fortinet FortiProxy SSL VPN is an application software of the United States (Fortinet) company. An intrusion detection function is provided. There is a security vulnerability in FortiProxy SSL VPN, which allows attackers to exploit the vulnerability to obtain credentials of SSL VPN users

Trust: 1.71

sources: NVD: CVE-2021-22128 // JVNDB: JVNDB-2021-004234 // VULHUB: VHN-380537

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortiproxy	scope:	lte	version:	1.2.9	Trust: 1.0
vendor:	fortinet	model:	fortiproxy	scope:	eq	version:	2.0.0	Trust: 1.0
vendor:	フォーティネット	model:	fortiproxy	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortiproxy	scope:	eq	version:	2.0.0	Trust: 0.8
vendor:	フォーティネット	model:	fortiproxy	scope:	lte	version:	1.2.9 and earlier	Trust: 0.8

sources: JVNDB: JVNDB-2021-004234 // NVD: CVE-2021-22128

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-22128
value:	MEDIUM
Trust: 1.0
psirt@fortinet.com:	CVE-2021-22128
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-22128
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202103-324
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-380537
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-22128
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-380537
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-22128
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.1
Trust: 1.0
psirt@fortinet.com:	CVE-2021-22128
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	4.2
version:	3.1
Trust: 1.0
NVD:	CVE-2021-22128
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-380537 // JVNDB: JVNDB-2021-004234 // CNNVD: CNNVD-202103-324 // NVD: CVE-2021-22128 // NVD: CVE-2021-22128

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	Bad authentication (CWE-863) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-004234 // NVD: CVE-2021-22128

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202103-324

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202103-324

PATCH

title:	FG-IR-20-235	url:	https://fortiguard.com/advisory/FG-IR-20-235	Trust: 0.8
title:	Fortinet FortiProxy SSL VPN Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=143734	Trust: 0.6

sources: JVNDB: JVNDB-2021-004234 // CNNVD: CNNVD-202103-324

EXTERNAL IDS

db:	NVD	id:	CVE-2021-22128	Trust: 2.5
db:	JVNDB	id:	JVNDB-2021-004234	Trust: 0.8
db:	CNNVD	id:	CNNVD-202103-324	Trust: 0.7
db:	AUSCERT	id:	ESB-2021.0775	Trust: 0.6
db:	VULHUB	id:	VHN-380537	Trust: 0.1

sources: VULHUB: VHN-380537 // JVNDB: JVNDB-2021-004234 // CNNVD: CNNVD-202103-324 // NVD: CVE-2021-22128

REFERENCES

url:	https://fortiguard.com/advisory/fg-ir-20-235	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-22128	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2021.0775	Trust: 0.6

sources: VULHUB: VHN-380537 // JVNDB: JVNDB-2021-004234 // CNNVD: CNNVD-202103-324 // NVD: CVE-2021-22128

SOURCES

db:	VULHUB	id:	VHN-380537
db:	JVNDB	id:	JVNDB-2021-004234
db:	CNNVD	id:	CNNVD-202103-324
db:	NVD	id:	CVE-2021-22128

LAST UPDATE DATE

2024-08-14T13:44:56.814000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-380537	date:	2022-07-12T00:00:00
db:	JVNDB	id:	JVNDB-2021-004234	date:	2021-11-17T03:16:00
db:	CNNVD	id:	CNNVD-202103-324	date:	2022-07-14T00:00:00
db:	NVD	id:	CVE-2021-22128	date:	2022-07-12T17:42:04.277

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-380537	date:	2021-03-04T00:00:00
db:	JVNDB	id:	JVNDB-2021-004234	date:	2021-11-17T00:00:00
db:	CNNVD	id:	CNNVD-202103-324	date:	2021-03-04T00:00:00
db:	NVD	id:	CVE-2021-22128	date:	2021-03-04T18:15:13.130