ID

VAR-202107-0625


CVE

CVE-2021-24005


TITLE

FortiAuthenticator  Vulnerability in Using Hard Coded Credentials

Trust: 0.8

sources: JVNDB: JVNDB-2021-008894

DESCRIPTION

Usage of hard-coded cryptographic keys to encrypt configuration files and debug logs in FortiAuthenticator versions before 6.3.0 may allow an attacker with access to the files or the CLI configuration to decrypt the sensitive data, via knowledge of the hard-coded key. FortiAuthenticator Is vulnerable to the use of hard-coded credentials.Information may be obtained. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Fortinet FortiAuthenticator WEB UI is a centralized user identity management solution Web interface of Fortinet. The following products and versions are affected: FortiAuthenticator: 5.0.0, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 5.4.0, 5.4 .1, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.1.0, 6.1.1, 6.1.2 , 6.2.0, 6.2.1

Trust: 2.34

sources: NVD: CVE-2021-24005 // JVNDB: JVNDB-2021-008894 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-382723 // VULMON: CVE-2021-24005

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiauthenticatorscope:gteversion:6.0.0

Trust: 1.0

vendor:fortinetmodel:fortiauthenticatorscope:ltversion:6.3.0

Trust: 1.0

vendor:フォーティネットmodel:fortiauthenticatorscope:eqversion: -

Trust: 0.8

vendor:フォーティネットmodel:fortiauthenticatorscope:eqversion:6.3.0

Trust: 0.8

sources: JVNDB: JVNDB-2021-008894 // NVD: CVE-2021-24005

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-24005
value: HIGH

Trust: 1.0

psirt@fortinet.com: CVE-2021-24005
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-24005
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202106-081
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

VULHUB: VHN-382723
value: MEDIUM

Trust: 0.1

VULMON: CVE-2021-24005
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-24005
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-382723
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-24005
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

psirt@fortinet.com: CVE-2021-24005
baseSeverity: MEDIUM
baseScore: 4.0
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.5
impactScore: 1.4
version: 3.1

Trust: 1.0

NVD: CVE-2021-24005
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-382723 // VULMON: CVE-2021-24005 // JVNDB: JVNDB-2021-008894 // CNNVD: CNNVD-202106-081 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-24005 // NVD: CVE-2021-24005

PROBLEMTYPE DATA

problemtype:CWE-798

Trust: 1.1

problemtype:Using hardcoded credentials (CWE-798) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-382723 // JVNDB: JVNDB-2021-008894 // NVD: CVE-2021-24005

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202106-081

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202106-081

PATCH

title:FG-IR-20-049url:https://www.fortiguard.com/psirt/FG-IR-20-049

Trust: 0.8

title:FortiAuthenticator Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=152519

Trust: 0.6

sources: JVNDB: JVNDB-2021-008894 // CNNVD: CNNVD-202106-081

EXTERNAL IDS

db:NVDid:CVE-2021-24005

Trust: 3.4

db:JVNDBid:JVNDB-2021-008894

Trust: 0.8

db:CNNVDid:CNNVD-202106-081

Trust: 0.7

db:AUSCERTid:ESB-2021.1886

Trust: 0.6

db:CS-HELPid:SB2021060139

Trust: 0.6

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:VULHUBid:VHN-382723

Trust: 0.1

db:VULMONid:CVE-2021-24005

Trust: 0.1

sources: VULHUB: VHN-382723 // VULMON: CVE-2021-24005 // JVNDB: JVNDB-2021-008894 // CNNVD: CNNVD-202106-081 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-24005

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-20-049

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-24005

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2021060139

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.1886

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/798.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-382723 // VULMON: CVE-2021-24005 // JVNDB: JVNDB-2021-008894 // CNNVD: CNNVD-202106-081 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-24005

SOURCES

db:VULHUBid:VHN-382723
db:VULMONid:CVE-2021-24005
db:JVNDBid:JVNDB-2021-008894
db:CNNVDid:CNNVD-202106-081
db:CNNVDid:CNNVD-202104-975
db:NVDid:CVE-2021-24005

LAST UPDATE DATE

2024-08-14T12:45:47.331000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-382723date:2021-07-08T00:00:00
db:VULMONid:CVE-2021-24005date:2021-07-08T00:00:00
db:JVNDBid:JVNDB-2021-008894date:2022-03-31T04:45:00
db:CNNVDid:CNNVD-202106-081date:2021-07-09T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:NVDid:CVE-2021-24005date:2021-07-08T17:36:25.613

SOURCES RELEASE DATE

db:VULHUBid:VHN-382723date:2021-07-06T00:00:00
db:VULMONid:CVE-2021-24005date:2021-07-06T00:00:00
db:JVNDBid:JVNDB-2021-008894date:2022-03-31T00:00:00
db:CNNVDid:CNNVD-202106-081date:2021-06-01T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:NVDid:CVE-2021-24005date:2021-07-06T11:15:08.560