Details of VAR-202109-0400

ID

VAR-202109-0400

CVE

CVE-2021-24017

TITLE

Pillow Buffer error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

DESCRIPTION

An improper authentication in Fortinet FortiManager version 6.4.3 and below, 6.2.6 and below allows attacker to assign arbitrary Policy and Object modules via crafted requests to the request handler. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Fortinet FortiManager is a centralized network security management platform developed by Fortinet. The platform supports centralized management of any number of Fortinet devices, and can group devices into different management domains (ADOMs) to further simplify multi-device security deployment and management. FortiManager has a security vulnerability that stems from improper authentication in FortiManager

Trust: 1.62

sources: NVD: CVE-2021-24017 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-382735 // VULMON: CVE-2021-24017

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortimanager	scope:	gte	version:	6.4.0	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	lt	version:	6.4.4	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	lt	version:	6.2.7	Trust: 1.0

sources: NVD: CVE-2021-24017

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-24017
value:	MEDIUM
Trust: 1.0
psirt@fortinet.com:	CVE-2021-24017
value:	MEDIUM
Trust: 1.0
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202109-367
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-382735
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-24017
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-24017
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-382735
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-24017
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.1
Trust: 1.0
psirt@fortinet.com:	CVE-2021-24017
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.8
impactScore:	2.5
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-382735 // VULMON: CVE-2021-24017 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-367 // NVD: CVE-2021-24017 // NVD: CVE-2021-24017

PROBLEMTYPE DATA

problemtype:

CWE-287

Trust: 1.1

sources: VULHUB: VHN-382735 // NVD: CVE-2021-24017

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202109-367

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:

Fortinet FortiManager Remediation measures for authorization problem vulnerabilities

url:

http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=162229

Trust: 0.6

sources: CNNVD: CNNVD-202109-367

EXTERNAL IDS

db:	NVD	id:	CVE-2021-24017	Trust: 1.8
db:	CNNVD	id:	CNNVD-202109-367	Trust: 0.7
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.3003	Trust: 0.6
db:	CS-HELP	id:	SB2021090808	Trust: 0.6
db:	CNVD	id:	CNVD-2022-05869	Trust: 0.1
db:	VULHUB	id:	VHN-382735	Trust: 0.1
db:	VULMON	id:	CVE-2021-24017	Trust: 0.1

sources: VULHUB: VHN-382735 // VULMON: CVE-2021-24017 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-367 // NVD: CVE-2021-24017

REFERENCES

url:	https://fortiguard.com/advisory/fg-ir-20-189	Trust: 1.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-24017	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.3003	Trust: 0.6
url:	https://vigilance.fr/vulnerability/fortimanager-read-write-access-via-p-o-module-assignment-36335	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021090808	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/287.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-382735 // VULMON: CVE-2021-24017 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-367 // NVD: CVE-2021-24017

SOURCES

db:	VULHUB	id:	VHN-382735
db:	VULMON	id:	CVE-2021-24017
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202109-367
db:	NVD	id:	CVE-2021-24017

LAST UPDATE DATE

2024-08-14T12:58:01.825000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-382735	date:	2021-10-08T00:00:00
db:	VULMON	id:	CVE-2021-24017	date:	2021-10-08T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202109-367	date:	2021-10-14T00:00:00
db:	NVD	id:	CVE-2021-24017	date:	2021-10-08T03:12:18.733

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-382735	date:	2021-09-30T00:00:00
db:	VULMON	id:	CVE-2021-24017	date:	2021-09-30T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202109-367	date:	2021-09-08T00:00:00
db:	NVD	id:	CVE-2021-24017	date:	2021-09-30T16:15:07.410