CVE-2020-29012 — Insufficient Session Expiration in Fortinet Fortisandbox

CWE-613 — Insufficient Session Expiration4 documents4 sources

Severity

5.3MEDIUMNVD

CNA5.6

EPSS

0.2%

top 57.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortisandbox Fortinet Fortisandbox

Timeline

PublishedSep 8

Latest updateMay 24

Description

An insufficient session expiration vulnerability in FortiSandbox versions 3.2.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain information about other users configured on the device, should the attacker be able to obtain that session ID (via other, hypothetical attacks)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDfortinet/fortisandbox< 3.2.2

▶CVEListV5fortinet/fortinet_fortisandboxFortiSandbox 3.2.1,

🔴Vulnerability Details

GHSA

GHSA-vcvm-p9xp-25xg: An insufficient session expiration vulnerability in FortiSandbox versions 3↗2022-05-24

▶

CVEList

CVE-2020-29012: An insufficient session expiration vulnerability in FortiSandbox versions 3↗2021-09-08

▶

📋Vendor Advisories

Fortinet

An insufficient session expiration vulnerability in FortiSandbox versions 3.2.1 and below may allow an attacker to reuse...↗2021-09-08

▶