CVE-2021-32598 — HTTP Request Smuggling in Fortinet Fortianalyzer

CWE-444 — HTTP Request Smuggling4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 66.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortianalyzer Fortinet Fortimanager

Timeline

PublishedAug 5

Latest updateMay 24

Description

An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability In FortiManager and FortiAnalyzer GUI 7.0.0, 6.4.6 and below, 6.2.8 and below, 6.0.11 and below, 5.6.11 and below may allow an authenticated and remote attacker to perform an HTTP request splitting attack which gives attackers control of the remaining headers and body of the response.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDfortinet/fortimanager5.6.0 — 7.0.1

▶NVDfortinet/fortianalyzer5.6.0 — 7.0.1

🔴Vulnerability Details

GHSA

GHSA-p797-78m8-4ww4: An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability In FortiManager and FortiAnalyzer GUI 7↗2022-05-24

▶

CVEList

CVE-2021-32598: An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability In FortiManager and FortiAnalyzer GUI 7↗2021-08-05

▶

📋Vendor Advisories

Fortinet

An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability In FortiManager a...↗2021-08-05

▶