ID

VAR-202108-0656


CVE

CVE-2021-32598


TITLE

FortiManager  and  FortiAnalyser GUI  In  HTTP  Request Smuggling Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-009724

DESCRIPTION

An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability In FortiManager and FortiAnalyzer GUI 7.0.0, 6.4.6 and below, 6.2.8 and below, 6.0.11 and below, 5.6.11 and below may allow an authenticated and remote attacker to perform an HTTP request splitting attack which gives attackers control of the remaining headers and body of the response. FortiManager and FortiAnalyser GUI Has HTTP A vulnerability exists in Request Smuggling.Information may be tampered with. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Both Fortinet FortiManager and Fortinet FortiAnalyzer are products of Fortinet. Fortinet FortiManager is a centralized network security management platform. The platform supports centralized management of any number of Fortinet devices, and can group devices into different management domains (ADOMs) to further simplify multi-device security deployment and management. Fortinet FortiAnalyzer is a centralized network security reporting solution. This product is mainly used to collect network log data, and analyze, report, and archive the security events, network traffic, and Web content in the logs through the report suite. Injection vulnerabilities exist in Fortinet FortiManager and Fortinet FortiAnalyzer. The vulnerability is caused by incorrect handling of CRLF character sequences in the FortiManager and FortiAnalyzer GUI. A remote user can send a special request containing a CRLF sequence and have the application send a fragmented HTTP response

Trust: 2.34

sources: NVD: CVE-2021-32598 // JVNDB: JVNDB-2021-009724 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-392570 // VULMON: CVE-2021-32598

AFFECTED PRODUCTS

vendor:fortinetmodel:fortianalyzerscope:ltversion:7.0.1

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:ltversion:7.0.1

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:gteversion:5.6.0

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:gteversion:5.6.0

Trust: 1.0

vendor:フォーティネットmodel:fortianalyzerscope:lteversion:5.6.11 and earlier

Trust: 0.8

vendor:フォーティネットmodel:fortianalyzerscope:lteversion:6.4.6 and earlier

Trust: 0.8

vendor:フォーティネットmodel:fortianalyzerscope:eqversion: -

Trust: 0.8

vendor:フォーティネットmodel:fortianalyzerscope:lteversion:6.2.8 and earlier

Trust: 0.8

vendor:フォーティネットmodel:fortianalyzerscope:eqversion:7.0.0

Trust: 0.8

vendor:フォーティネットmodel:fortianalyzerscope:lteversion:6.0.11 and earlier

Trust: 0.8

sources: JVNDB: JVNDB-2021-009724 // NVD: CVE-2021-32598

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-32598
value: MEDIUM

Trust: 1.0

psirt@fortinet.com: CVE-2021-32598
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-32598
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202108-340
value: MEDIUM

Trust: 0.6

VULHUB: VHN-392570
value: MEDIUM

Trust: 0.1

VULMON: CVE-2021-32598
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-32598
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-392570
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-32598
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 1.4
version: 3.1

Trust: 2.0

NVD: CVE-2021-32598
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-392570 // VULMON: CVE-2021-32598 // JVNDB: JVNDB-2021-009724 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-340 // NVD: CVE-2021-32598 // NVD: CVE-2021-32598

PROBLEMTYPE DATA

problemtype:CWE-444

Trust: 1.1

problemtype:HTTP Request Smuggling (CWE-444) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-392570 // JVNDB: JVNDB-2021-009724 // NVD: CVE-2021-32598

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-340

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:FG-IR-21-063url:https://www.fortiguard.com/psirt/FG-IR-21-063

Trust: 0.8

title:Fortinet FortiManager and Fortinet FortiAnalyzer Remediation measures for environmental problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=159850

Trust: 0.6

sources: JVNDB: JVNDB-2021-009724 // CNNVD: CNNVD-202108-340

EXTERNAL IDS

db:NVDid:CVE-2021-32598

Trust: 3.4

db:JVNDBid:JVNDB-2021-009724

Trust: 0.8

db:CNNVDid:CNNVD-202108-340

Trust: 0.7

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:AUSCERTid:ESB-2021.2617

Trust: 0.6

db:CS-HELPid:SB2021080318

Trust: 0.6

db:VULHUBid:VHN-392570

Trust: 0.1

db:VULMONid:CVE-2021-32598

Trust: 0.1

sources: VULHUB: VHN-392570 // VULMON: CVE-2021-32598 // JVNDB: JVNDB-2021-009724 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-340 // NVD: CVE-2021-32598

REFERENCES

url:https://fortiguard.com/advisory/fg-ir-21-063

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-32598

Trust: 1.4

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021080318

Trust: 0.6

url:https://vigilance.fr/vulnerability/fortianalyzer-fortimanager-information-disclosure-via-http-response-splitting-36043

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.2617

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/444.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-392570 // VULMON: CVE-2021-32598 // JVNDB: JVNDB-2021-009724 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-340 // NVD: CVE-2021-32598

SOURCES

db:VULHUBid:VHN-392570
db:VULMONid:CVE-2021-32598
db:JVNDBid:JVNDB-2021-009724
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202108-340
db:NVDid:CVE-2021-32598

LAST UPDATE DATE

2024-08-14T13:13:06.303000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-392570date:2021-08-12T00:00:00
db:VULMONid:CVE-2021-32598date:2021-08-12T00:00:00
db:JVNDBid:JVNDB-2021-009724date:2022-05-18T02:49:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202108-340date:2021-08-25T00:00:00
db:NVDid:CVE-2021-32598date:2021-08-12T19:30:55.813

SOURCES RELEASE DATE

db:VULHUBid:VHN-392570date:2021-08-05T00:00:00
db:VULMONid:CVE-2021-32598date:2021-08-05T00:00:00
db:JVNDBid:JVNDB-2021-009724date:2022-05-18T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202108-340date:2021-08-03T00:00:00
db:NVDid:CVE-2021-32598date:2021-08-05T11:15:07.417