FortiWeb Improper Crypto Signature Verification (6.4, 6.3.16-, 6.2-, 6.1-, 6.0-)
CVE-2021-43074 Published on February 16, 2023

An improper verification of cryptographic signature vulnerability [CWE-347] in FortiWeb 6.4 all versions, 6.3.16 and below, 6.2 all versions, 6.1 all versions, 6.0 all versions; FortiOS 7.0.3 and below, 6.4.8 and below, 6.2 all versions, 6.0 all versions; FortiSwitch 7.0.3 and below, 6.4.10 and below, 6.2 all versions, 6.0 all versions; FortiProxy 7.0.1 and below, 2.0.7 and below, 1.2 all versions, 1.1 all versions, 1.0 all versions may allow an attacker to decrypt portions of the administrative session management cookie if able to intercept the latter.

NVD

Vulnerability Analysis

CVE-2021-43074 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

Improper Verification of Cryptographic Signature

The software does not verify, or incorrectly verifies, the cryptographic signature for data.


Products Associated with CVE-2021-43074

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-43074 are published in these products:

Fortinet FortiOS
 
Fortinet FortiProxy
 
Fortinet Fortiswitch
 
Fortinet FortiWeb
 

Affected Versions

Fortinet FortiSwitch: Fortinet FortiWeb: Fortinet FortiProxy: Fortinet FortiOS:

Exploit Probability

EPSS
0.12%
Percentile
31.15%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.