Details of VAR-202107-0625

ID

VAR-202107-0625

CVE

CVE-2021-24005

TITLE

FortiAuthenticator Vulnerability in Using Hard Coded Credentials

Trust: 0.8

sources: JVNDB: JVNDB-2021-008894

DESCRIPTION

Usage of hard-coded cryptographic keys to encrypt configuration files and debug logs in FortiAuthenticator versions before 6.3.0 may allow an attacker with access to the files or the CLI configuration to decrypt the sensitive data, via knowledge of the hard-coded key. FortiAuthenticator Is vulnerable to the use of hard-coded credentials.Information may be obtained. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Fortinet FortiAuthenticator WEB UI is a centralized user identity management solution Web interface of Fortinet. The following products and versions are affected: FortiAuthenticator: 5.0.0, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 5.4.0, 5.4 .1, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.1.0, 6.1.1, 6.1.2 , 6.2.0, 6.2.1

Trust: 2.34

sources: NVD: CVE-2021-24005 // JVNDB: JVNDB-2021-008894 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-382723 // VULMON: CVE-2021-24005

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortiauthenticator	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiauthenticator	scope:	lt	version:	6.3.0	Trust: 1.0
vendor:	フォーティネット	model:	fortiauthenticator	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortiauthenticator	scope:	eq	version:	6.3.0	Trust: 0.8

sources: JVNDB: JVNDB-2021-008894 // NVD: CVE-2021-24005

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-24005
value:	HIGH
Trust: 1.0
psirt@fortinet.com:	CVE-2021-24005
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-24005
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202106-081
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-382723
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-24005
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-24005
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-382723
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-24005
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
psirt@fortinet.com:	CVE-2021-24005
baseSeverity:	MEDIUM
baseScore:	4.0
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.5
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2021-24005
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-382723 // VULMON: CVE-2021-24005 // JVNDB: JVNDB-2021-008894 // CNNVD: CNNVD-202106-081 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-24005 // NVD: CVE-2021-24005

PROBLEMTYPE DATA

problemtype:	CWE-798	Trust: 1.1
problemtype:	Using hardcoded credentials (CWE-798) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-382723 // JVNDB: JVNDB-2021-008894 // NVD: CVE-2021-24005

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202106-081

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202106-081

PATCH

title:	FG-IR-20-049	url:	https://www.fortiguard.com/psirt/FG-IR-20-049	Trust: 0.8
title:	FortiAuthenticator Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=152519	Trust: 0.6

sources: JVNDB: JVNDB-2021-008894 // CNNVD: CNNVD-202106-081

EXTERNAL IDS

db:	NVD	id:	CVE-2021-24005	Trust: 3.4
db:	JVNDB	id:	JVNDB-2021-008894	Trust: 0.8
db:	CNNVD	id:	CNNVD-202106-081	Trust: 0.7
db:	AUSCERT	id:	ESB-2021.1886	Trust: 0.6
db:	CS-HELP	id:	SB2021060139	Trust: 0.6
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	VULHUB	id:	VHN-382723	Trust: 0.1
db:	VULMON	id:	CVE-2021-24005	Trust: 0.1

sources: VULHUB: VHN-382723 // VULMON: CVE-2021-24005 // JVNDB: JVNDB-2021-008894 // CNNVD: CNNVD-202106-081 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-24005

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-20-049	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-24005	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021060139	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1886	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/798.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-382723 // VULMON: CVE-2021-24005 // JVNDB: JVNDB-2021-008894 // CNNVD: CNNVD-202106-081 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-24005

SOURCES

db:	VULHUB	id:	VHN-382723
db:	VULMON	id:	CVE-2021-24005
db:	JVNDB	id:	JVNDB-2021-008894
db:	CNNVD	id:	CNNVD-202106-081
db:	CNNVD	id:	CNNVD-202104-975
db:	NVD	id:	CVE-2021-24005

LAST UPDATE DATE

2024-08-14T12:45:47.331000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-382723	date:	2021-07-08T00:00:00
db:	VULMON	id:	CVE-2021-24005	date:	2021-07-08T00:00:00
db:	JVNDB	id:	JVNDB-2021-008894	date:	2022-03-31T04:45:00
db:	CNNVD	id:	CNNVD-202106-081	date:	2021-07-09T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	NVD	id:	CVE-2021-24005	date:	2021-07-08T17:36:25.613

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-382723	date:	2021-07-06T00:00:00
db:	VULMON	id:	CVE-2021-24005	date:	2021-07-06T00:00:00
db:	JVNDB	id:	JVNDB-2021-008894	date:	2022-03-31T00:00:00
db:	CNNVD	id:	CNNVD-202106-081	date:	2021-06-01T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	NVD	id:	CVE-2021-24005	date:	2021-07-06T11:15:08.560