Details of VAR-202302-1352

ID

VAR-202302-1352

CVE

CVE-2021-43074

TITLE

Digital signature validation vulnerability in multiple Fortinet products

Trust: 0.8

sources: JVNDB: JVNDB-2023-004474

DESCRIPTION

An improper verification of cryptographic signature vulnerability [CWE-347] in FortiWeb 6.4 all versions, 6.3.16 and below, 6.2 all versions, 6.1 all versions, 6.0 all versions; FortiOS 7.0.3 and below, 6.4.8 and below, 6.2 all versions, 6.0 all versions; FortiSwitch 7.0.3 and below, 6.4.10 and below, 6.2 all versions, 6.0 all versions; FortiProxy 7.0.1 and below, 2.0.7 and below, 1.2 all versions, 1.1 all versions, 1.0 all versions may allow an attacker to decrypt portions of the administrative session management cookie if able to intercept the latter. FortiProxy , Fortiweb , FortiOS Multiple Fortinet products contain vulnerabilities related to digital signature validation.Information may be obtained

Trust: 1.8

sources: NVD: CVE-2021-43074 // JVNDB: JVNDB-2023-004474 // VULHUB: VHN-404124 // VULMON: CVE-2021-43074

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortios	scope:	lt	version:	6.4.9	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	gte	version:	7.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	gte	version:	6.4.0	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	lt	version:	6.3.17	Trust: 1.0
vendor:	fortinet	model:	fortiproxy	scope:	gte	version:	7.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiswitch	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiswitch	scope:	lt	version:	6.4.11	Trust: 1.0
vendor:	fortinet	model:	fortiswitch	scope:	gte	version:	7.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiproxy	scope:	lt	version:	7.0.2	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiproxy	scope:	gte	version:	1.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiswitch	scope:	lt	version:	7.0.4	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiproxy	scope:	lt	version:	2.0.8	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	lt	version:	7.0.4	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	lt	version:	7.0.0	Trust: 1.0
vendor:	フォーティネット	model:	fortiproxy	scope:	-	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortios	scope:	-	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortiswitch	scope:	eq	version:	7.0.0 that's all 7.0.4	Trust: 0.8
vendor:	フォーティネット	model:	fortiweb	scope:	-	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortiswitch	scope:	eq	version:	6.0.0 that's all 6.4.11	Trust: 0.8

sources: JVNDB: JVNDB-2023-004474 // NVD: CVE-2021-43074

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-43074
value:	MEDIUM
Trust: 1.0
psirt@fortinet.com:	CVE-2021-43074
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-43074
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202302-1452
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2021-43074
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.1
Trust: 2.0
NVD:	CVE-2021-43074
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-004474 // CNNVD: CNNVD-202302-1452 // NVD: CVE-2021-43074 // NVD: CVE-2021-43074

PROBLEMTYPE DATA

problemtype:	CWE-347	Trust: 1.1
problemtype:	Improper verification of digital signatures (CWE-347) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-404124 // JVNDB: JVNDB-2023-004474 // NVD: CVE-2021-43074

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202302-1452

TYPE

data forgery

Trust: 0.6

sources: CNNVD: CNNVD-202302-1452

PATCH

title:	FG-IR-21-126	url:	https://fortiguard.com/psirt/FG-IR-21-126	Trust: 0.8
title:	Fortinet FortiSwitch and FortiWeb Repair measures for data forgery problem vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=226818	Trust: 0.6

sources: JVNDB: JVNDB-2023-004474 // CNNVD: CNNVD-202302-1452

EXTERNAL IDS

db:	NVD	id:	CVE-2021-43074	Trust: 3.4
db:	JVNDB	id:	JVNDB-2023-004474	Trust: 0.8
db:	CNNVD	id:	CNNVD-202302-1452	Trust: 0.6
db:	VULHUB	id:	VHN-404124	Trust: 0.1
db:	VULMON	id:	CVE-2021-43074	Trust: 0.1

sources: VULHUB: VHN-404124 // VULMON: CVE-2021-43074 // JVNDB: JVNDB-2023-004474 // CNNVD: CNNVD-202302-1452 // NVD: CVE-2021-43074

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-21-126	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-43074	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2021-43074/	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-404124 // VULMON: CVE-2021-43074 // JVNDB: JVNDB-2023-004474 // CNNVD: CNNVD-202302-1452 // NVD: CVE-2021-43074

SOURCES

db:	VULHUB	id:	VHN-404124
db:	VULMON	id:	CVE-2021-43074
db:	JVNDB	id:	JVNDB-2023-004474
db:	CNNVD	id:	CNNVD-202302-1452
db:	NVD	id:	CVE-2021-43074

LAST UPDATE DATE

2024-08-14T14:49:19.202000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-404124	date:	2023-02-24T00:00:00
db:	VULMON	id:	CVE-2021-43074	date:	2023-02-16T00:00:00
db:	JVNDB	id:	JVNDB-2023-004474	date:	2023-10-30T07:35:00
db:	CNNVD	id:	CNNVD-202302-1452	date:	2023-02-27T00:00:00
db:	NVD	id:	CVE-2021-43074	date:	2023-11-07T03:39:18.017

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-404124	date:	2023-02-16T00:00:00
db:	VULMON	id:	CVE-2021-43074	date:	2023-02-16T00:00:00
db:	JVNDB	id:	JVNDB-2023-004474	date:	2023-10-30T00:00:00
db:	CNNVD	id:	CNNVD-202302-1452	date:	2023-02-16T00:00:00
db:	NVD	id:	CVE-2021-43074	date:	2023-02-16T19:15:11.677