CVE-2021-41025

CWE-362 — Race Condition4 documents4 sources

Severity

9.8CRITICAL

EPSS

0.3%

top 51.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortiweb Fortinet Fortinet Fortiweb

Timeline

PublishedDec 8

Latest updateDec 9

Description

Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6.4.1, 6.4.0, 6.3.0 through 6.3.15, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 thorugh 6.0.7, including an instance of concurrent execution using shared resource with improper synchronization and one of authentication bypass by capture-replay, may allow a remote unauthenticated attacker to circumvent the authentication process and authenticate as a legitimate cluster peer.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages2 packages

▶NVDfortinet/fortiweb6.0.0 — 6.0.7+8

▶CVEListV5fortinet/fortinet_fortiwebFortiWeb 6.4.1, 6.4.0, 6.3.0 through 6.3.15, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 thorugh 6.0.7

Patches

Patch: fortiguard.com ↗Patch: fortiguard.com ↗

🔴Vulnerability Details

GHSA

GHSA-rvmf-qfpg-9qgj: Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6↗2021-12-09

▶

CVEList

CVE-2021-41025: Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6↗2021-12-08

▶

📋Vendor Advisories

Fortinet

Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6.4.1, 6.4.0, 6.3.0 through 6.3.1...↗2021-12-08

▶