ID

VAR-202109-0172


CVE

CVE-2020-29012


TITLE

FortiSandbox  Session deadline vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-011440

DESCRIPTION

An insufficient session expiration vulnerability in FortiSandbox versions 3.2.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain information about other users configured on the device, should the attacker be able to obtain that session ID (via other, hypothetical attacks). FortiSandbox contains a session expiration vulnerability.Information may be obtained. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.34

sources: NVD: CVE-2020-29012 // JVNDB: JVNDB-2021-011440 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-375139 // VULMON: CVE-2020-29012

AFFECTED PRODUCTS

vendor:fortinetmodel:fortisandboxscope:ltversion:3.2.2

Trust: 1.0

vendor:フォーティネットmodel:fortisandboxscope:eqversion: -

Trust: 0.8

vendor:フォーティネットmodel:fortisandboxscope:lteversion:3.2.1 and earlier

Trust: 0.8

sources: JVNDB: JVNDB-2021-011440 // NVD: CVE-2020-29012

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-29012
value: MEDIUM

Trust: 1.0

psirt@fortinet.com: CVE-2020-29012
value: MEDIUM

Trust: 1.0

NVD: CVE-2020-29012
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202109-290
value: MEDIUM

Trust: 0.6

VULHUB: VHN-375139
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-29012
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-29012
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-375139
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-29012
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 1.4
version: 3.1

Trust: 1.0

psirt@fortinet.com: CVE-2020-29012
baseSeverity: MEDIUM
baseScore: 5.6
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 2.2
impactScore: 3.4
version: 3.1

Trust: 1.0

NVD: CVE-2020-29012
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-375139 // VULMON: CVE-2020-29012 // JVNDB: JVNDB-2021-011440 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-290 // NVD: CVE-2020-29012 // NVD: CVE-2020-29012

PROBLEMTYPE DATA

problemtype:CWE-613

Trust: 1.1

problemtype:Inappropriate session deadline (CWE-613) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-375139 // JVNDB: JVNDB-2021-011440 // NVD: CVE-2020-29012

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202109-290

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:FG-IR-20-070url:https://www.fortiguard.com/psirt/FG-IR-20-070

Trust: 0.8

title:Fortinet FortiSandbox Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=161880

Trust: 0.6

sources: JVNDB: JVNDB-2021-011440 // CNNVD: CNNVD-202109-290

EXTERNAL IDS

db:NVDid:CVE-2020-29012

Trust: 3.4

db:JVNDBid:JVNDB-2021-011440

Trust: 0.8

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:AUSCERTid:ESB-2021.3005

Trust: 0.6

db:CS-HELPid:SB2021090717

Trust: 0.6

db:CNNVDid:CNNVD-202109-290

Trust: 0.6

db:VULHUBid:VHN-375139

Trust: 0.1

db:VULMONid:CVE-2020-29012

Trust: 0.1

sources: VULHUB: VHN-375139 // VULMON: CVE-2020-29012 // JVNDB: JVNDB-2021-011440 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-290 // NVD: CVE-2020-29012

REFERENCES

url:https://fortiguard.com/advisory/fg-ir-20-070

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2020-29012

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.3005

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021090717

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/613.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-375139 // VULMON: CVE-2020-29012 // JVNDB: JVNDB-2021-011440 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-290 // NVD: CVE-2020-29012

SOURCES

db:VULHUBid:VHN-375139
db:VULMONid:CVE-2020-29012
db:JVNDBid:JVNDB-2021-011440
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202109-290
db:NVDid:CVE-2020-29012

LAST UPDATE DATE

2024-08-14T12:44:18.990000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-375139date:2021-09-14T00:00:00
db:VULMONid:CVE-2020-29012date:2021-09-14T00:00:00
db:JVNDBid:JVNDB-2021-011440date:2022-07-29T07:23:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202109-290date:2021-09-15T00:00:00
db:NVDid:CVE-2020-29012date:2021-09-14T14:38:01.747

SOURCES RELEASE DATE

db:VULHUBid:VHN-375139date:2021-09-08T00:00:00
db:VULMONid:CVE-2020-29012date:2021-09-08T00:00:00
db:JVNDBid:JVNDB-2021-011440date:2022-07-29T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202109-290date:2021-09-07T00:00:00
db:NVDid:CVE-2020-29012date:2021-09-08T11:15:07.237