CVE-2021-36170 — Insufficiently Protected Credentials in Fortinet Fortianalyzer

CWE-522 — Insufficiently Protected Credentials4 documents4 sources

Severity

3.2LOWNVD

EPSS

0.1%

top 70.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortianalyzer Fortinet Fortimanager

Timeline

PublishedOct 6

Latest updateMay 24

Description

An information disclosure vulnerability [CWE-200] in FortiAnalyzerVM and FortiManagerVM versions 7.0.0 and 6.4.6 and below may allow an authenticated attacker to read the FortiCloud credentials which were used to activate the trial license in cleartext.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:NExploitability: 1.5 | Impact: 1.4

Affected Packages2 packages

▶NVDfortinet/fortimanager7.0.0 — 7.0.1+1

▶NVDfortinet/fortianalyzer7.0.0 — 7.0.1+1

🔴Vulnerability Details

GHSA

GHSA-pc9w-m2r6-3243: An information disclosure vulnerability [CWE-200] in FortiAnalyzerVM and FortiManagerVM versions 7↗2022-05-24

▶

CVEList

CVE-2021-36170: An information disclosure vulnerability [CWE-200] in FortiAnalyzerVM and FortiManagerVM versions 7↗2021-10-06

▶

📋Vendor Advisories

Fortinet

An information disclosure vulnerability [CWE-200] in FortiAnalyzerVM and FortiManagerVM versions 7.0.0 and 6.4.6 and bel...↗2021-10-06

▶