Details of VAR-202112-0380

ID

VAR-202112-0380

CVE

CVE-2021-36191

TITLE

Fortinet FortiWeb Open redirect vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-015993

DESCRIPTION

A url redirection to untrusted site ('open redirect') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to use the device as proxy via crafted GET parameters in requests to error handlers. Fortinet FortiWeb Exists in an open redirect vulnerability.Information may be obtained and information may be tampered with

Trust: 1.71

sources: NVD: CVE-2021-36191 // JVNDB: JVNDB-2021-015993 // VULHUB: VHN-398101

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortiweb	scope:	lte	version:	6.0.7	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	eq	version:	6.4.1	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	eq	version:	6.1.1	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	lte	version:	6.3.15	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	gte	version:	6.3.0	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	eq	version:	6.4.0	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	eq	version:	6.1.0	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	lte	version:	6.2.6	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	gte	version:	6.2.0	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	eq	version:	6.1.2	Trust: 1.0
vendor:	フォーティネット	model:	fortiweb	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortiweb	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-015993 // NVD: CVE-2021-36191

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-36191
value:	MEDIUM
Trust: 1.0
psirt@fortinet.com:	CVE-2021-36191
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-36191
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202112-640
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-398101
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-36191
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-398101
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-36191
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.1
Trust: 1.0
psirt@fortinet.com:	CVE-2021-36191
baseSeverity:	MEDIUM
baseScore:	4.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2021-36191
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-398101 // JVNDB: JVNDB-2021-015993 // CNNVD: CNNVD-202112-640 // NVD: CVE-2021-36191 // NVD: CVE-2021-36191

PROBLEMTYPE DATA

problemtype:	CWE-601	Trust: 1.1
problemtype:	Open redirect (CWE-601) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-398101 // JVNDB: JVNDB-2021-015993 // NVD: CVE-2021-36191

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202112-640

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202112-640

PATCH

title:	FG-IR-21-133	url:	https://www.fortiguard.com/psirt/FG-IR-21-133	Trust: 0.8
title:	Fortinet FortiWeb Enter the fix for the verification error vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=174402	Trust: 0.6

sources: JVNDB: JVNDB-2021-015993 // CNNVD: CNNVD-202112-640

EXTERNAL IDS

db:	NVD	id:	CVE-2021-36191	Trust: 3.3
db:	JVNDB	id:	JVNDB-2021-015993	Trust: 0.8
db:	CNNVD	id:	CNNVD-202112-640	Trust: 0.6
db:	VULHUB	id:	VHN-398101	Trust: 0.1

sources: VULHUB: VHN-398101 // JVNDB: JVNDB-2021-015993 // CNNVD: CNNVD-202112-640 // NVD: CVE-2021-36191

REFERENCES

url:	https://fortiguard.com/advisory/fg-ir-21-133	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-36191	Trust: 1.4

sources: VULHUB: VHN-398101 // JVNDB: JVNDB-2021-015993 // CNNVD: CNNVD-202112-640 // NVD: CVE-2021-36191

SOURCES

db:	VULHUB	id:	VHN-398101
db:	JVNDB	id:	JVNDB-2021-015993
db:	CNNVD	id:	CNNVD-202112-640
db:	NVD	id:	CVE-2021-36191

LAST UPDATE DATE

2024-08-14T14:37:48.626000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-398101	date:	2021-12-15T00:00:00
db:	JVNDB	id:	JVNDB-2021-015993	date:	2022-12-05T05:30:00
db:	CNNVD	id:	CNNVD-202112-640	date:	2021-12-16T00:00:00
db:	NVD	id:	CVE-2021-36191	date:	2021-12-15T13:45:02.153

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-398101	date:	2021-12-08T00:00:00
db:	JVNDB	id:	JVNDB-2021-015993	date:	2022-12-05T00:00:00
db:	CNNVD	id:	CNNVD-202112-640	date:	2021-12-08T00:00:00
db:	NVD	id:	CVE-2021-36191	date:	2021-12-08T13:15:07.787