Details of VAR-202107-0839

ID

VAR-202107-0839

CVE

CVE-2021-26095

TITLE

FortiMail Vulnerability in using cryptographic algorithms in

Trust: 0.8

sources: JVNDB: JVNDB-2021-009855

DESCRIPTION

The combination of various cryptographic issues in the session management of FortiMail 6.4.0 through 6.4.4 and 6.2.0 through 6.2.6, including the encryption construction of the session cookie, may allow a remote attacker already in possession of a cookie to possibly reveal and alter or forge its content, thereby escalating privileges. FortiMail Is vulnerable to the use of cryptographic algorithms.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Fortinet FortiMail is a suite of email security gateway products from Fortinet. The product provides features such as email security protection and data protection. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.88

sources: NVD: CVE-2021-26095 // JVNDB: JVNDB-2021-009855 // CNVD: CNVD-2022-19078 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-385059 // VULMON: CVE-2021-26095

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-19078

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortimail	scope:	lt	version:	6.4.5	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	lte	version:	6.2.6	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	gte	version:	6.2.0	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	gte	version:	6.4.0	Trust: 1.0
vendor:	フォーティネット	model:	fortimail	scope:	eq	version:	6.2.0 to 6.2.6	Trust: 0.8
vendor:	フォーティネット	model:	fortimail	scope:	eq	version:	6.4.0 to 6.4.4	Trust: 0.8
vendor:	フォーティネット	model:	fortimail	scope:	eq	version:	-	Trust: 0.8
vendor:	fortinet	model:	fortimail	scope:	gte	version:	6.4.0,<=6.4.4	Trust: 0.6
vendor:	fortinet	model:	fortimail	scope:	gte	version:	6.2.0,<=6.2.6	Trust: 0.6

sources: CNVD: CNVD-2022-19078 // JVNDB: JVNDB-2021-009855 // NVD: CVE-2021-26095

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-26095
value:	HIGH
Trust: 1.0
psirt@fortinet.com:	CVE-2021-26095
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-26095
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2022-19078
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202107-843
value:	HIGH
Trust: 0.6
VULHUB:	VHN-385059
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-26095
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2022-19078
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-385059
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-26095
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
psirt@fortinet.com:	CVE-2021-26095
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.6
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2021-26095
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-19078 // VULHUB: VHN-385059 // JVNDB: JVNDB-2021-009855 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-843 // NVD: CVE-2021-26095 // NVD: CVE-2021-26095

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	Use of incomplete or dangerous cryptographic algorithms (CWE-327) [NVD Evaluation ]	Trust: 0.8
problemtype:	CWE-327	Trust: 0.1

sources: VULHUB: VHN-385059 // JVNDB: JVNDB-2021-009855 // NVD: CVE-2021-26095

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202107-843

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	FG-IR-21-019	url:	https://fortiguard.com/advisory/FG-IR-21-019	Trust: 0.8
title:	Patch for Fortinet FortiMail Encryption Issue Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/325301	Trust: 0.6
title:	Fortinet FortiMail Fixes for encryption problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=156536	Trust: 0.6

sources: CNVD: CNVD-2022-19078 // JVNDB: JVNDB-2021-009855 // CNNVD: CNNVD-202107-843

EXTERNAL IDS

db:	NVD	id:	CVE-2021-26095	Trust: 4.0
db:	JVNDB	id:	JVNDB-2021-009855	Trust: 0.8
db:	CNVD	id:	CNVD-2022-19078	Trust: 0.7
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2380	Trust: 0.6
db:	CS-HELP	id:	SB2021071352	Trust: 0.6
db:	CNNVD	id:	CNNVD-202107-843	Trust: 0.6
db:	VULHUB	id:	VHN-385059	Trust: 0.1
db:	VULMON	id:	CVE-2021-26095	Trust: 0.1

sources: CNVD: CNVD-2022-19078 // VULHUB: VHN-385059 // VULMON: CVE-2021-26095 // JVNDB: JVNDB-2021-009855 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-843 // NVD: CVE-2021-26095

REFERENCES

url:	https://fortiguard.com/advisory/fg-ir-21-019	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-26095	Trust: 1.4
url:	https://www.fortinet.com/products/email-security	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2380	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021071352	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

SOURCES

db:	CNVD	id:	CNVD-2022-19078
db:	VULHUB	id:	VHN-385059
db:	VULMON	id:	CVE-2021-26095
db:	JVNDB	id:	JVNDB-2021-009855
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202107-843
db:	NVD	id:	CVE-2021-26095

LAST UPDATE DATE

2024-08-14T13:10:16.730000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-19078	date:	2022-03-14T00:00:00
db:	VULHUB	id:	VHN-385059	date:	2021-07-28T00:00:00
db:	VULMON	id:	CVE-2021-26095	date:	2021-07-20T00:00:00
db:	JVNDB	id:	JVNDB-2021-009855	date:	2022-06-02T06:10:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202107-843	date:	2021-08-25T00:00:00
db:	NVD	id:	CVE-2021-26095	date:	2023-08-08T14:22:24.967

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-19078	date:	2022-03-14T00:00:00
db:	VULHUB	id:	VHN-385059	date:	2021-07-20T00:00:00
db:	VULMON	id:	CVE-2021-26095	date:	2021-07-20T00:00:00
db:	JVNDB	id:	JVNDB-2021-009855	date:	2022-06-02T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202107-843	date:	2021-07-13T00:00:00
db:	NVD	id:	CVE-2021-26095	date:	2021-07-20T11:15:11.477