Details of VAR-202108-0672

ID

VAR-202108-0672

CVE

CVE-2021-32587

TITLE

FortiManager and FortiAnalyzer Authentication Vulnerability in Microsoft

Trust: 0.8

sources: JVNDB: JVNDB-2021-009597

DESCRIPTION

An improper access control vulnerability in FortiManager and FortiAnalyzer GUI interface 7.0.0, 6.4.5 and below, 6.2.8 and below, 6.0.11 and below, 5.6.11 and below may allow a remote and authenticated attacker with restricted user profile to retrieve the list of administrative users of other ADOMs and their related configuration. FortiManager and FortiAnalyzer Contains an improper authentication vulnerability.Information may be obtained. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Both Fortinet FortiManager and Fortinet FortiAnalyzer are products of Fortinet. Fortinet FortiManager is a centralized network security management platform. The platform supports centralized management of any number of Fortinet devices, and can group devices into different management domains (ADOMs) to further simplify multi-device security deployment and management. Fortinet FortiAnalyzer is a centralized network security reporting solution. This product is mainly used to collect network log data, and analyze, report, and archive the security events, network traffic, and Web content in the logs through the report suite. FortiManager and FortiAnalyzer have an access control error vulnerability due to improper access restrictions. The vulnerability could allow a remote user to gain unauthorized access

Trust: 2.34

sources: NVD: CVE-2021-32587 // JVNDB: JVNDB-2021-009597 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-392559 // VULMON: CVE-2021-32587

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortimanager	scope:	lt	version:	7.0.1	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	gte	version:	5.6.0	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	lt	version:	6.4.6	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	gte	version:	7.0.0	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	lt	version:	7.0.1	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	gte	version:	7.0.0	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	lt	version:	6.4.6	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	gte	version:	5.6.0	Trust: 1.0
vendor:	フォーティネット	model:	fortianalyzer	scope:	-	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortimanager	scope:	lte	version:	6.2.8 and earlier	Trust: 0.8
vendor:	フォーティネット	model:	fortimanager	scope:	lte	version:	6.4.5 and earlier	Trust: 0.8
vendor:	フォーティネット	model:	fortimanager	scope:	lte	version:	6.0.11 and earlier	Trust: 0.8
vendor:	フォーティネット	model:	fortimanager	scope:	lte	version:	5.6.11 and earlier	Trust: 0.8
vendor:	フォーティネット	model:	fortimanager	scope:	eq	version:	7.0.0	Trust: 0.8

sources: JVNDB: JVNDB-2021-009597 // NVD: CVE-2021-32587

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-32587
value:	MEDIUM
Trust: 1.0
psirt@fortinet.com:	CVE-2021-32587
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-32587
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202108-360
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-392559
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-32587
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-32587
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-392559
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-32587
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2021-009597
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-392559 // VULMON: CVE-2021-32587 // JVNDB: JVNDB-2021-009597 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-360 // NVD: CVE-2021-32587 // NVD: CVE-2021-32587

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	Bad authentication (CWE-863) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-009597 // NVD: CVE-2021-32587

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-360

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	FG-IR-21-059	url:	https://www.fortiguard.com/psirt/FG-IR-21-059	Trust: 0.8
title:	Fortinet FortiManager and Fortinet FortiAnalyzer Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=158606	Trust: 0.6

sources: JVNDB: JVNDB-2021-009597 // CNNVD: CNNVD-202108-360

EXTERNAL IDS

db:	NVD	id:	CVE-2021-32587	Trust: 3.4
db:	JVNDB	id:	JVNDB-2021-009597	Trust: 0.8
db:	CNNVD	id:	CNNVD-202108-360	Trust: 0.7
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2617	Trust: 0.6
db:	CS-HELP	id:	SB2021080318	Trust: 0.6
db:	VULHUB	id:	VHN-392559	Trust: 0.1
db:	VULMON	id:	CVE-2021-32587	Trust: 0.1

sources: VULHUB: VHN-392559 // VULMON: CVE-2021-32587 // JVNDB: JVNDB-2021-009597 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-360 // NVD: CVE-2021-32587

REFERENCES

url:	https://fortiguard.com/advisory/fg-ir-21-059	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-32587	Trust: 1.4
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021080318	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2617	Trust: 0.6
url:	https://vigilance.fr/vulnerability/fortianalyzer-fortimanager-information-disclosure-via-administrators-account-list-36042	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/863.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-392559 // VULMON: CVE-2021-32587 // JVNDB: JVNDB-2021-009597 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-360 // NVD: CVE-2021-32587

SOURCES

db:	VULHUB	id:	VHN-392559
db:	VULMON	id:	CVE-2021-32587
db:	JVNDB	id:	JVNDB-2021-009597
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202108-360
db:	NVD	id:	CVE-2021-32587

LAST UPDATE DATE

2024-08-14T12:09:25.660000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-392559	date:	2022-06-28T00:00:00
db:	VULMON	id:	CVE-2021-32587	date:	2021-08-18T00:00:00
db:	JVNDB	id:	JVNDB-2021-009597	date:	2022-05-11T07:26:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202108-360	date:	2021-08-24T00:00:00
db:	NVD	id:	CVE-2021-32587	date:	2022-06-28T14:11:45.273

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-392559	date:	2021-08-06T00:00:00
db:	VULMON	id:	CVE-2021-32587	date:	2021-08-06T00:00:00
db:	JVNDB	id:	JVNDB-2021-009597	date:	2022-05-11T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202108-360	date:	2021-08-03T00:00:00
db:	NVD	id:	CVE-2021-32587	date:	2021-08-06T11:15:07.357