ID

VAR-202112-0357


CVE

CVE-2021-26103


TITLE

FortiProxy  and  FortiGate  Inadequate validation of data reliability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-016005

DESCRIPTION

An insufficient verification of data authenticity vulnerability (CWE-345) in the user interface of FortiProxy verison 2.0.3 and below, 1.2.11 and below and FortiGate verison 7.0.0, 6.4.6 and below, 6.2.9 and below of SSL VPN portal may allow a remote, unauthenticated attacker to conduct a cross-site request forgery (CSRF) attack . Only SSL VPN in web mode or full mode are impacted by this vulnerability. FortiProxy and FortiGate Exists in an inadequate validation of data reliability vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet FortiProxy SSL VPN is the United States ( Fortinet ) company's application software. An intrusion detection function is provided

Trust: 1.71

sources: NVD: CVE-2021-26103 // JVNDB: JVNDB-2021-016005 // VULHUB: VHN-385067

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiosscope:gteversion:6.2.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:6.4.6

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:gteversion:2.0.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:5.6.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:6.4.0

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:gteversion:1.2.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:6.2.9

Trust: 1.0

vendor:fortinetmodel:fortiosscope:eqversion:7.0.0

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:lteversion:1.2.11

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:5.6.14

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:6.0.13

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:lteversion:2.0.3

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:6.0.0

Trust: 1.0

vendor:フォーティネットmodel:fortiosscope: - version: -

Trust: 0.8

vendor:フォーティネットmodel:fortiproxyscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-016005 // NVD: CVE-2021-26103

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-26103
value: HIGH

Trust: 1.0

psirt@fortinet.com: CVE-2021-26103
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-26103
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202112-530
value: HIGH

Trust: 0.6

VULHUB: VHN-385067
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-26103
severity: MEDIUM
baseScore: 5.1
vectorString: AV:N/AC:H/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 4.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-385067
severity: MEDIUM
baseScore: 5.1
vectorString: AV:N/AC:H/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 4.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-26103
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

psirt@fortinet.com: CVE-2021-26103
baseSeverity: MEDIUM
baseScore: 6.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 2.8
impactScore: 3.4
version: 3.1

Trust: 1.0

NVD: CVE-2021-26103
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-385067 // JVNDB: JVNDB-2021-016005 // CNNVD: CNNVD-202112-530 // NVD: CVE-2021-26103 // NVD: CVE-2021-26103

PROBLEMTYPE DATA

problemtype:CWE-345

Trust: 1.1

problemtype:Inadequate verification of data reliability (CWE-345) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-385067 // JVNDB: JVNDB-2021-016005 // NVD: CVE-2021-26103

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202112-530

TYPE

data forgery

Trust: 0.6

sources: CNNVD: CNNVD-202112-530

PATCH

title:FG-IR-20-158url:https://www.fortiguard.com/psirt/FG-IR-20-158

Trust: 0.8

title:Fortinet FortiProxy SSL VPN Repair measures for data forgery problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=173980

Trust: 0.6

sources: JVNDB: JVNDB-2021-016005 // CNNVD: CNNVD-202112-530

EXTERNAL IDS

db:NVDid:CVE-2021-26103

Trust: 3.3

db:JVNDBid:JVNDB-2021-016005

Trust: 0.8

db:CNNVDid:CNNVD-202112-530

Trust: 0.7

db:AUSCERTid:ESB-2021.4147

Trust: 0.6

db:CS-HELPid:SB2021120716

Trust: 0.6

db:CNVDid:CNVD-2022-19075

Trust: 0.1

db:VULHUBid:VHN-385067

Trust: 0.1

sources: VULHUB: VHN-385067 // JVNDB: JVNDB-2021-016005 // CNNVD: CNNVD-202112-530 // NVD: CVE-2021-26103

REFERENCES

url:https://fortiguard.com/advisory/fg-ir-20-158

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-26103

Trust: 1.4

url:https://www.auscert.org.au/bulletins/esb-2021.4147

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021120716

Trust: 0.6

url:https://vigilance.fr/vulnerability/fortios-cross-site-request-forgery-via-ssl-vpn-portal-37020

Trust: 0.6

sources: VULHUB: VHN-385067 // JVNDB: JVNDB-2021-016005 // CNNVD: CNNVD-202112-530 // NVD: CVE-2021-26103

SOURCES

db:VULHUBid:VHN-385067
db:JVNDBid:JVNDB-2021-016005
db:CNNVDid:CNNVD-202112-530
db:NVDid:CVE-2021-26103

LAST UPDATE DATE

2024-08-14T14:02:55.123000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-385067date:2021-12-09T00:00:00
db:JVNDBid:JVNDB-2021-016005date:2022-12-05T06:07:00
db:CNNVDid:CNNVD-202112-530date:2021-12-13T00:00:00
db:NVDid:CVE-2021-26103date:2021-12-09T21:11:26.673

SOURCES RELEASE DATE

db:VULHUBid:VHN-385067date:2021-12-08T00:00:00
db:JVNDBid:JVNDB-2021-016005date:2022-12-05T00:00:00
db:CNNVDid:CNNVD-202112-530date:2021-12-08T00:00:00
db:NVDid:CVE-2021-26103date:2021-12-08T12:15:07.677