ID

VAR-202112-0378


CVE

CVE-2021-36190


TITLE

Fortinet FortiWeb  Vulnerability in externally controllable references to resources in another region of

Trust: 0.8

sources: JVNDB: JVNDB-2021-015887

DESCRIPTION

A unintended proxy or intermediary ('confused deputy') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows an unauthenticated attacker to access protected hosts via crafted HTTP requests. Fortinet FortiWeb Exists in a vulnerability in externally controllable references to resources in another region.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2021-36190 // JVNDB: JVNDB-2021-015887 // VULHUB: VHN-398100

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiwebscope:lteversion:6.0.7

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:eqversion:6.4.1

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:eqversion:6.1.1

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:lteversion:6.3.15

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:gteversion:6.3.0

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:eqversion:6.4.0

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:gteversion:6.0.0

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:eqversion:6.1.0

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:lteversion:6.2.6

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:gteversion:6.2.0

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:eqversion:6.1.2

Trust: 1.0

vendor:フォーティネットmodel:fortiwebscope: - version: -

Trust: 0.8

vendor:フォーティネットmodel:fortiwebscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-015887 // NVD: CVE-2021-36190

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-36190
value: MEDIUM

Trust: 1.0

psirt@fortinet.com: CVE-2021-36190
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-36190
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202112-646
value: MEDIUM

Trust: 0.6

VULHUB: VHN-398100
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-36190
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-398100
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-36190
baseSeverity: MEDIUM
baseScore: 6.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 2.8
impactScore: 3.4
version: 3.1

Trust: 1.0

psirt@fortinet.com: CVE-2021-36190
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 2.1
impactScore: 3.4
version: 3.1

Trust: 1.0

NVD: CVE-2021-36190
baseSeverity: MEDIUM
baseScore: 6.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-398100 // JVNDB: JVNDB-2021-015887 // CNNVD: CNNVD-202112-646 // NVD: CVE-2021-36190 // NVD: CVE-2021-36190

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:Externally controllable reference to another region resource (CWE-610) [NVD evaluation ]

Trust: 0.8

problemtype:CWE-610

Trust: 0.1

sources: VULHUB: VHN-398100 // JVNDB: JVNDB-2021-015887 // NVD: CVE-2021-36190

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202112-646

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202112-646

PATCH

title:FG-IR-21-123url:https://www.fortiguard.com/psirt/FG-IR-21-123

Trust: 0.8

title:Fortinet FortiWeb Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=174408

Trust: 0.6

sources: JVNDB: JVNDB-2021-015887 // CNNVD: CNNVD-202112-646

EXTERNAL IDS

db:NVDid:CVE-2021-36190

Trust: 3.3

db:JVNDBid:JVNDB-2021-015887

Trust: 0.8

db:CNNVDid:CNNVD-202112-646

Trust: 0.6

db:VULHUBid:VHN-398100

Trust: 0.1

sources: VULHUB: VHN-398100 // JVNDB: JVNDB-2021-015887 // CNNVD: CNNVD-202112-646 // NVD: CVE-2021-36190

REFERENCES

url:https://fortiguard.com/advisory/fg-ir-21-123

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-36190

Trust: 1.4

sources: VULHUB: VHN-398100 // JVNDB: JVNDB-2021-015887 // CNNVD: CNNVD-202112-646 // NVD: CVE-2021-36190

SOURCES

db:VULHUBid:VHN-398100
db:JVNDBid:JVNDB-2021-015887
db:CNNVDid:CNNVD-202112-646
db:NVDid:CVE-2021-36190

LAST UPDATE DATE

2024-08-14T14:18:13.528000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-398100date:2021-12-09T00:00:00
db:JVNDBid:JVNDB-2021-015887date:2022-12-01T07:34:00
db:CNNVDid:CNNVD-202112-646date:2021-12-16T00:00:00
db:NVDid:CVE-2021-36190date:2023-08-08T14:21:49.707

SOURCES RELEASE DATE

db:VULHUBid:VHN-398100date:2021-12-08T00:00:00
db:JVNDBid:JVNDB-2021-015887date:2022-12-01T00:00:00
db:CNNVDid:CNNVD-202112-646date:2021-12-08T00:00:00
db:NVDid:CVE-2021-36190date:2021-12-08T14:15:09.527