CVE-2021-36177 — Incorrect Authorization in Fortinet Fortiauthenticator

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

4.3MEDIUMNVD

CNA4.2

EPSS

0.2%

top 62.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortiauthenticator

Timeline

PublishedFeb 2

Latest updateFeb 8

Description

An improper access control vulnerability [CWE-284] in FortiAuthenticator HA service 6.3.2 and below, 6.2.x, 6.1.x, 6.0.x may allow an attacker on the same vlan as the HA management interface to make an unauthenticated direct connection to the FAC's database.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶NVDfortinet/fortiauthenticator6.0.0 — 6.3.3

🔴Vulnerability Details

GHSA

GHSA-v8x4-gj4q-pwgq: An improper access control vulnerability [CWE-284] in FortiAuthenticator HA service 6↗2022-02-08

▶

CVEList

CVE-2021-36177: An improper access control vulnerability [CWE-284] in FortiAuthenticator HA service 6↗2022-02-02

▶

📋Vendor Advisories

Fortinet

An improper access control vulnerability [CWE-284] in FortiAuthenticator HA service 6.3.2 and below, 6.2.x, 6.1.x, 6.0.x...↗2022-02-02

▶