ID

VAR-202109-0063


CVE

CVE-2020-15939


TITLE

FortiSandbox  Fraud related to unauthorized authentication in

Trust: 0.8

sources: JVNDB: JVNDB-2021-010803

DESCRIPTION

An improper access control vulnerability (CWE-284) in FortiSandbox versions 3.2.1 and below and 3.1.4 and below may allow an authenticated, unprivileged attacker to download the device configuration file via the recovery URL. FortiSandbox Exists in a fraudulent authentication vulnerability.Information may be obtained. Fortinet FortiSandbox is an APT (Advanced Persistent Threat) protection device from Fortinet. The device provides functions such as dual sandbox technology, dynamic threat intelligence system, real-time control panel and reports. Attackers can gain unauthorized access by restoring the URL download function. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.88

sources: NVD: CVE-2020-15939 // JVNDB: JVNDB-2021-010803 // CNVD: CNVD-2021-84597 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-168967 // VULMON: CVE-2020-15939

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-84597

AFFECTED PRODUCTS

vendor:fortinetmodel:fortisandboxscope:ltversion:3.1.5

Trust: 1.6

vendor:fortinetmodel:fortisandboxscope:gteversion:3.2.0

Trust: 1.0

vendor:fortinetmodel:fortisandboxscope:ltversion:3.2.2

Trust: 1.0

vendor:フォーティネットmodel:fortisandboxscope:lteversion:3.1.4 and earlier

Trust: 0.8

vendor:フォーティネットmodel:fortisandboxscope:eqversion: -

Trust: 0.8

vendor:フォーティネットmodel:fortisandboxscope:lteversion:3.2.1 and earlier

Trust: 0.8

vendor:fortinetmodel:fortisandboxscope:gteversion:3.2.0,<3.2.2

Trust: 0.6

sources: CNVD: CNVD-2021-84597 // JVNDB: JVNDB-2021-010803 // NVD: CVE-2020-15939

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-15939
value: MEDIUM

Trust: 1.0

psirt@fortinet.com: CVE-2020-15939
value: MEDIUM

Trust: 1.0

NVD: CVE-2020-15939
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2021-84597
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202108-293
value: MEDIUM

Trust: 0.6

VULHUB: VHN-168967
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-15939
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-15939
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2021-84597
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-168967
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-15939
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 1.4
version: 3.1

Trust: 2.0

OTHER: JVNDB-2021-010803
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-84597 // VULHUB: VHN-168967 // VULMON: CVE-2020-15939 // JVNDB: JVNDB-2021-010803 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-293 // NVD: CVE-2020-15939 // NVD: CVE-2020-15939

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:Illegal authentication (CWE-863) [NVD evaluation ]

Trust: 0.8

problemtype:CWE-863

Trust: 0.1

sources: VULHUB: VHN-168967 // JVNDB: JVNDB-2021-010803 // NVD: CVE-2020-15939

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-293

TYPE

other

Trust: 1.2

sources: CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-293

PATCH

title:FG-IR-20-071url:https://www.fortiguard.com/psirt/FG-IR-20-071

Trust: 0.8

title:Patch for Fortinet FortiSandbox Access Control Error Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/297216

Trust: 0.6

title:Fortinet FortiSandbox Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=158545

Trust: 0.6

sources: CNVD: CNVD-2021-84597 // JVNDB: JVNDB-2021-010803 // CNNVD: CNNVD-202108-293

EXTERNAL IDS

db:NVDid:CVE-2020-15939

Trust: 4.0

db:JVNDBid:JVNDB-2021-010803

Trust: 0.8

db:CNVDid:CNVD-2021-84597

Trust: 0.6

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:AUSCERTid:ESB-2021.2616

Trust: 0.6

db:CS-HELPid:SB2021080315

Trust: 0.6

db:CNNVDid:CNNVD-202108-293

Trust: 0.6

db:VULHUBid:VHN-168967

Trust: 0.1

db:VULMONid:CVE-2020-15939

Trust: 0.1

sources: CNVD: CNVD-2021-84597 // VULHUB: VHN-168967 // VULMON: CVE-2020-15939 // JVNDB: JVNDB-2021-010803 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-293 // NVD: CVE-2020-15939

REFERENCES

url:https://fortiguard.com/advisory/fg-ir-20-071

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2020-15939

Trust: 1.4

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021080315

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.2616

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/863.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2021-84597 // VULHUB: VHN-168967 // VULMON: CVE-2020-15939 // JVNDB: JVNDB-2021-010803 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-293 // NVD: CVE-2020-15939

SOURCES

db:CNVDid:CNVD-2021-84597
db:VULHUBid:VHN-168967
db:VULMONid:CVE-2020-15939
db:JVNDBid:JVNDB-2021-010803
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202108-293
db:NVDid:CVE-2020-15939

LAST UPDATE DATE

2024-08-14T12:06:49.035000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-84597date:2021-11-07T00:00:00
db:VULHUBid:VHN-168967date:2022-07-12T00:00:00
db:VULMONid:CVE-2020-15939date:2021-09-10T00:00:00
db:JVNDBid:JVNDB-2021-010803date:2022-07-08T05:24:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202108-293date:2022-07-14T00:00:00
db:NVDid:CVE-2020-15939date:2022-07-12T17:42:04.277

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-84597date:2021-11-06T00:00:00
db:VULHUBid:VHN-168967date:2021-09-06T00:00:00
db:VULMONid:CVE-2020-15939date:2021-09-06T00:00:00
db:JVNDBid:JVNDB-2021-010803date:2022-07-08T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202108-293date:2021-08-03T00:00:00
db:NVDid:CVE-2020-15939date:2021-09-06T16:15:07.373