CVE-2021-24005 — Hard-coded Credentials in Fortinet Fortiauthenticator

CWE-798 — Hard-coded Credentials4 documents4 sources

Severity

7.5HIGHNVD

CNA4.0

EPSS

0.1%

top 68.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortiauthenticator

Timeline

PublishedJul 6

Latest updateMay 24

Description

Usage of hard-coded cryptographic keys to encrypt configuration files and debug logs in FortiAuthenticator versions before 6.3.0 may allow an attacker with access to the files or the CLI configuration to decrypt the sensitive data, via knowledge of the hard-coded key.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDfortinet/fortiauthenticator6.0.0 — 6.3.0

▶CVEListV5fortinet/fortiauthenticatorFortiAuthenticator versions before 6.3.0.

🔴Vulnerability Details

GHSA

GHSA-fqjh-4555-fwq2: Usage of hard-coded cryptographic keys to encrypt configuration files and debug logs in FortiAuthenticator versions before 6↗2022-05-24

▶

CVEList

CVE-2021-24005: Usage of hard-coded cryptographic keys to encrypt configuration files and debug logs in FortiAuthenticator versions before 6↗2021-07-06

▶

📋Vendor Advisories

Fortinet

Usage of hard-coded cryptographic keys to encrypt configuration files and debug logs in FortiAuthenticator versions befo...↗2021-07-06

▶