Details of VAR-202108-0364

ID

VAR-202108-0364

CVE

CVE-2021-22124

TITLE

FortiSandbox and FortiAuthenticator Resource Depletion Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-009740

DESCRIPTION

An uncontrolled resource consumption (denial of service) vulnerability in the login modules of FortiSandbox 3.2.0 through 3.2.2, 3.1.0 through 3.1.4, and 3.0.0 through 3.0.6; and FortiAuthenticator before 6.0.6 may allow an unauthenticated attacker to bring the device into an unresponsive state via specifically-crafted long request parameters. FortiSandbox and FortiAuthenticator Is vulnerable to a resource exhaustion.Denial of service (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Both Fortinet FortiSandbox and Fortinet FortiAuthenticator are products of Fortinet. Fortinet FortiSandbox is an APT (advanced persistent threat) protection device. The appliance offers features such as dual sandboxing technology, dynamic threat intelligence system, real-time dashboard and reporting. Fortinet FortiAuthenticator is a centralized user identity management solution

Trust: 2.34

sources: NVD: CVE-2021-22124 // JVNDB: JVNDB-2021-009740 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-380533 // VULMON: CVE-2021-22124

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortiauthenticator	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiauthenticator	scope:	lte	version:	5.5.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	3.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiauthenticator	scope:	gte	version:	5.0.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	3.1.5	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	3.2.2	Trust: 1.0
vendor:	fortinet	model:	fortiauthenticator	scope:	gte	version:	4.0.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	3.1.0	Trust: 1.0
vendor:	fortinet	model:	fortiauthenticator	scope:	lt	version:	6.0.6	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	3.0.7	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	3.2.0	Trust: 1.0
vendor:	fortinet	model:	fortiauthenticator	scope:	lte	version:	4.3.4	Trust: 1.0
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	3.2.0 to 3.2.2	Trust: 0.8
vendor:	フォーティネット	model:	fortiauthenticator	scope:	-	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	3.1.0 to 3.1.4	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	3.0.0 to 3.0.6	Trust: 0.8

sources: JVNDB: JVNDB-2021-009740 // NVD: CVE-2021-22124

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-22124
value:	HIGH
Trust: 1.0
psirt@fortinet.com:	CVE-2021-22124
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-22124
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202108-344
value:	HIGH
Trust: 0.6
VULHUB:	VHN-380533
value:	HIGH
Trust: 0.1
VULMON:	CVE-2021-22124
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-22124
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-380533
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-22124
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 2.0
NVD:	CVE-2021-22124
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-380533 // VULMON: CVE-2021-22124 // JVNDB: JVNDB-2021-009740 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-344 // NVD: CVE-2021-22124 // NVD: CVE-2021-22124

PROBLEMTYPE DATA

problemtype:	CWE-400	Trust: 1.1
problemtype:	Resource exhaustion (CWE-400) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-380533 // JVNDB: JVNDB-2021-009740 // NVD: CVE-2021-22124

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-344

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	FG-IR-20-170	url:	https://www.fortiguard.com/psirt/FG-IR-20-170	Trust: 0.8
title:	Fortinet FortiSandbox and Fortinet FortiAuthenticator Remediation of resource management error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=159851	Trust: 0.6

sources: JVNDB: JVNDB-2021-009740 // CNNVD: CNNVD-202108-344

EXTERNAL IDS

db:	NVD	id:	CVE-2021-22124	Trust: 3.4
db:	JVNDB	id:	JVNDB-2021-009740	Trust: 0.8
db:	CNNVD	id:	CNNVD-202108-344	Trust: 0.7
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021080316	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2618	Trust: 0.6
db:	VULHUB	id:	VHN-380533	Trust: 0.1
db:	VULMON	id:	CVE-2021-22124	Trust: 0.1

sources: VULHUB: VHN-380533 // VULMON: CVE-2021-22124 // JVNDB: JVNDB-2021-009740 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-344 // NVD: CVE-2021-22124

REFERENCES

url:	https://fortiguard.com/advisory/fg-ir-20-170	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-22124	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021080316	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2618	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/400.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-380533 // VULMON: CVE-2021-22124 // JVNDB: JVNDB-2021-009740 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-344 // NVD: CVE-2021-22124

SOURCES

db:	VULHUB	id:	VHN-380533
db:	VULMON	id:	CVE-2021-22124
db:	JVNDB	id:	JVNDB-2021-009740
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202108-344
db:	NVD	id:	CVE-2021-22124

LAST UPDATE DATE

2024-08-14T12:16:55.689000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-380533	date:	2021-08-12T00:00:00
db:	VULMON	id:	CVE-2021-22124	date:	2021-08-12T00:00:00
db:	JVNDB	id:	JVNDB-2021-009740	date:	2022-05-18T05:43:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202108-344	date:	2021-08-17T00:00:00
db:	NVD	id:	CVE-2021-22124	date:	2021-08-12T13:39:09.087

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-380533	date:	2021-08-04T00:00:00
db:	VULMON	id:	CVE-2021-22124	date:	2021-08-04T00:00:00
db:	JVNDB	id:	JVNDB-2021-009740	date:	2022-05-18T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202108-344	date:	2021-08-03T00:00:00
db:	NVD	id:	CVE-2021-22124	date:	2021-08-04T19:15:08.313