CVE-2021-32591

CWE-327 — Broken Cryptographic Algorithm4 documents4 sources

Severity

5.3MEDIUM

EPSS

0.4%

top 39.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortiadc Fortinet Fortimail Fortinet Fortisandbox +2 more

Timeline

PublishedDec 8

Latest updateDec 9

Description

A missing cryptographic steps vulnerability in the function that encrypts users' LDAP and RADIUS credentials in FortiSandbox before 4.0.1, FortiWeb before 6.3.12, FortiADC before 6.2.1, FortiMail 7.0.1 and earlier may allow an attacker in possession of the password store to compromise the confidentiality of the encrypted secrets.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages5 packages

▶NVDfortinet/fortiadc5.0.0 — 5.4.4+4

▶NVDfortinet/fortiweb5.7.0 — 5.7.3+7

▶NVDfortinet/fortimail5.0 — 5.6.3+5

▶NVDfortinet/fortisandbox3.2.0 — 3.2.2+1

▶CVEListV5fortinet/fortinet_fortisandboxFortiSandbox before 4.0.1, FortiWeb before 6.3.12, FortiADC before 6.2.1, FortiMail 7.0.1 and earlier

Patches

Patch: fortiguard.com ↗Patch: fortiguard.com ↗

🔴Vulnerability Details

GHSA

GHSA-8qc7-q2w2-p7f4: A missing cryptographic steps vulnerability in the function that encrypts users' LDAP and RADIUS credentials in FortiSandbox before 4↗2021-12-09

▶

CVEList

CVE-2021-32591: A missing cryptographic steps vulnerability in the function that encrypts users' LDAP and RADIUS credentials in FortiSandbox before 4↗2021-12-08

▶

📋Vendor Advisories

Fortinet

A missing cryptographic steps vulnerability in the function that encrypts users' LDAP and RADIUS credentials in FortiSan...↗2021-12-08

▶