Details of VAR-202109-0172

ID

VAR-202109-0172

CVE

CVE-2020-29012

TITLE

FortiSandbox Session deadline vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-011440

DESCRIPTION

An insufficient session expiration vulnerability in FortiSandbox versions 3.2.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain information about other users configured on the device, should the attacker be able to obtain that session ID (via other, hypothetical attacks). FortiSandbox contains a session expiration vulnerability.Information may be obtained. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.34

sources: NVD: CVE-2020-29012 // JVNDB: JVNDB-2021-011440 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-375139 // VULMON: CVE-2020-29012

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	3.2.2	Trust: 1.0
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	lte	version:	3.2.1 and earlier	Trust: 0.8

sources: JVNDB: JVNDB-2021-011440 // NVD: CVE-2020-29012

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-29012
value:	MEDIUM
Trust: 1.0
psirt@fortinet.com:	CVE-2020-29012
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-29012
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202109-290
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-375139
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2020-29012
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-29012
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-375139
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-29012
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
psirt@fortinet.com:	CVE-2020-29012
baseSeverity:	MEDIUM
baseScore:	5.6
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.2
impactScore:	3.4
version:	3.1
Trust: 1.0
NVD:	CVE-2020-29012
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-375139 // VULMON: CVE-2020-29012 // JVNDB: JVNDB-2021-011440 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-290 // NVD: CVE-2020-29012 // NVD: CVE-2020-29012

PROBLEMTYPE DATA

problemtype:	CWE-613	Trust: 1.1
problemtype:	Inappropriate session deadline (CWE-613) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-375139 // JVNDB: JVNDB-2021-011440 // NVD: CVE-2020-29012

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202109-290

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	FG-IR-20-070	url:	https://www.fortiguard.com/psirt/FG-IR-20-070	Trust: 0.8
title:	Fortinet FortiSandbox Fixes for code issue vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=161880	Trust: 0.6

sources: JVNDB: JVNDB-2021-011440 // CNNVD: CNNVD-202109-290

EXTERNAL IDS

db:	NVD	id:	CVE-2020-29012	Trust: 3.4
db:	JVNDB	id:	JVNDB-2021-011440	Trust: 0.8
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.3005	Trust: 0.6
db:	CS-HELP	id:	SB2021090717	Trust: 0.6
db:	CNNVD	id:	CNNVD-202109-290	Trust: 0.6
db:	VULHUB	id:	VHN-375139	Trust: 0.1
db:	VULMON	id:	CVE-2020-29012	Trust: 0.1

sources: VULHUB: VHN-375139 // VULMON: CVE-2020-29012 // JVNDB: JVNDB-2021-011440 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-290 // NVD: CVE-2020-29012

REFERENCES

url:	https://fortiguard.com/advisory/fg-ir-20-070	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-29012	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.3005	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021090717	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/613.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-375139 // VULMON: CVE-2020-29012 // JVNDB: JVNDB-2021-011440 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-290 // NVD: CVE-2020-29012

SOURCES

db:	VULHUB	id:	VHN-375139
db:	VULMON	id:	CVE-2020-29012
db:	JVNDB	id:	JVNDB-2021-011440
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202109-290
db:	NVD	id:	CVE-2020-29012

LAST UPDATE DATE

2024-08-14T12:44:18.990000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-375139	date:	2021-09-14T00:00:00
db:	VULMON	id:	CVE-2020-29012	date:	2021-09-14T00:00:00
db:	JVNDB	id:	JVNDB-2021-011440	date:	2022-07-29T07:23:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202109-290	date:	2021-09-15T00:00:00
db:	NVD	id:	CVE-2020-29012	date:	2021-09-14T14:38:01.747

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-375139	date:	2021-09-08T00:00:00
db:	VULMON	id:	CVE-2020-29012	date:	2021-09-08T00:00:00
db:	JVNDB	id:	JVNDB-2021-011440	date:	2022-07-29T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202109-290	date:	2021-09-07T00:00:00
db:	NVD	id:	CVE-2020-29012	date:	2021-09-08T11:15:07.237