Details of VAR-202109-0398

ID

VAR-202109-0398

CVE

CVE-2021-24006

TITLE

FortiManager Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-010804

DESCRIPTION

An improper access control vulnerability in FortiManager versions 6.4.0 to 6.4.3 may allow an authenticated attacker with a restricted user profile to access the SD-WAN Orchestrator panel via directly visiting its URL. FortiManager Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Fortinet FortiManager is a centralized network security management platform developed by Fortinet. The platform supports centralized management of any number of Fortinet devices, and can group devices into different management domains (ADOMs) to further simplify multi-device security deployment and management

Trust: 2.34

sources: NVD: CVE-2021-24006 // JVNDB: JVNDB-2021-010804 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-382724 // VULMON: CVE-2021-24006

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortimanager	scope:	gte	version:	6.4.0	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	lt	version:	6.4.4	Trust: 1.0
vendor:	フォーティネット	model:	fortimanager	scope:	eq	version:	6.4.0 to 6.4.3	Trust: 0.8
vendor:	フォーティネット	model:	fortimanager	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-010804 // NVD: CVE-2021-24006

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-24006
value:	HIGH
Trust: 1.0
psirt@fortinet.com:	CVE-2021-24006
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-24006
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202108-359
value:	HIGH
Trust: 0.6
VULHUB:	VHN-382724
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-24006
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-24006
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-382724
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-24006
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
psirt@fortinet.com:	CVE-2021-24006
baseSeverity:	MEDIUM
baseScore:	6.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.8
impactScore:	3.4
version:	3.1
Trust: 1.0
NVD:	CVE-2021-24006
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-382724 // VULMON: CVE-2021-24006 // JVNDB: JVNDB-2021-010804 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-359 // NVD: CVE-2021-24006 // NVD: CVE-2021-24006

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	others (CWE-Other) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-010804 // NVD: CVE-2021-24006

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-359

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	FG-IR-20-061	url:	https://www.fortiguard.com/psirt/FG-IR-20-061	Trust: 0.8
title:	Fortinet FortiManager Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=158605	Trust: 0.6

sources: JVNDB: JVNDB-2021-010804 // CNNVD: CNNVD-202108-359

EXTERNAL IDS

db:	NVD	id:	CVE-2021-24006	Trust: 3.4
db:	JVNDB	id:	JVNDB-2021-010804	Trust: 0.8
db:	CNNVD	id:	CNNVD-202108-359	Trust: 0.7
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021080317	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2617	Trust: 0.6
db:	VULHUB	id:	VHN-382724	Trust: 0.1
db:	VULMON	id:	CVE-2021-24006	Trust: 0.1

sources: VULHUB: VHN-382724 // VULMON: CVE-2021-24006 // JVNDB: JVNDB-2021-010804 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-359 // NVD: CVE-2021-24006

REFERENCES

url:	https://fortiguard.com/advisory/fg-ir-20-061	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-24006	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021080317	Trust: 0.6
url:	https://vigilance.fr/vulnerability/fortimanager-privilege-escalation-via-sd-wan-orchestrator-panel-36037	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2617	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/863.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-382724 // VULMON: CVE-2021-24006 // JVNDB: JVNDB-2021-010804 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-359 // NVD: CVE-2021-24006

SOURCES

db:	VULHUB	id:	VHN-382724
db:	VULMON	id:	CVE-2021-24006
db:	JVNDB	id:	JVNDB-2021-010804
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202108-359
db:	NVD	id:	CVE-2021-24006

LAST UPDATE DATE

2024-08-14T12:26:03.319000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-382724	date:	2022-06-28T00:00:00
db:	VULMON	id:	CVE-2021-24006	date:	2021-09-10T00:00:00
db:	JVNDB	id:	JVNDB-2021-010804	date:	2022-07-08T05:24:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202108-359	date:	2021-09-13T00:00:00
db:	NVD	id:	CVE-2021-24006	date:	2022-06-28T14:11:45.273

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-382724	date:	2021-09-06T00:00:00
db:	VULMON	id:	CVE-2021-24006	date:	2021-09-06T00:00:00
db:	JVNDB	id:	JVNDB-2021-010804	date:	2022-07-08T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202108-359	date:	2021-08-03T00:00:00
db:	NVD	id:	CVE-2021-24006	date:	2021-09-06T19:15:07.427