CVE-2019-17657 - OpenCVE

An Uncontrolled Resource Consumption vulnerability in Fortinet FortiSwitch below 3.6.11, 6.0.6 and 6.2.2, FortiAnalyzer below 6.2.3, FortiManager below 6.2.3 and FortiAP-S/W2 below 6.2.2 may allow an attacker to cause admin webUI denial of service (DoS) via handling special crafted HTTP requests/responses in pieces slowly, as demonstrated by Slow HTTP DoS Attacks.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fortinet	Fortianalyzer Fortiap-s Fortiap-w2 Fortimanager Fortiswitch

Configuration 1 [-]

OR	cpe:2.3:a:fortinet:fortianalyzer::::::::
	cpe:2.3:a:fortinet:fortiap-s::::::::
	cpe:2.3:a:fortinet:fortiap-w2::::::::
	cpe:2.3:a:fortinet:fortimanager::::::::
	cpe:2.3:o:fortinet:fortiswitch::::::::
	cpe:2.3:o:fortinet:fortiswitch::::::::
	cpe:2.3:o:fortinet:fortiswitch::::::::

No data.

References

Link	Providers
https://fortiguard.com/psirt/FG-IR-19-013

History

No history.

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2020-04-07T17:11:07

Updated: 2024-08-05T01:47:13.496Z

Reserved: 2019-10-16T00:00:00

Link: CVE-2019-17657

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-04-07T18:15:13.510

Modified: 2020-04-08T19:18:03.237

Link: CVE-2019-17657

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Fortinet FortiSwitch", "vendor": "n/a", "versions": [{"status": "affected", "version": "below 3.6.11"}, {"status": "affected", "version": "6.0.6 and 6.2.2"}]}, {"product": "FortiAnalyzer", "vendor": "n/a", "versions": [{"status": "affected", "version": "below 6.2.3"}]}, {"product": "FortiManager", "vendor": "n/a", "versions": [{"status": "affected", "version": "below 6.2.3"}]}, {"product": "FortiAP-S/W2", "vendor": "n/a", "versions": [{"status": "affected", "version": "below 6.2.2"}]}], "datePublic": "2020-02-03T00:00:00", "descriptions": [{"lang": "en", "value": "An Uncontrolled Resource Consumption vulnerability in Fortinet FortiSwitch below 3.6.11, 6.0.6 and 6.2.2, FortiAnalyzer below 6.2.3, FortiManager below 6.2.3 and FortiAP-S/W2 below 6.2.2 may allow an attacker to cause admin webUI denial of service (DoS) via handling special crafted HTTP requests/responses in pieces slowly, as demonstrated by Slow HTTP DoS Attacks."}], "problemTypes": [{"descriptions": [{"description": "Denial of service", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-04-07T17:11:07", "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://fortiguard.com/psirt/FG-IR-19-013"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@fortinet.com", "ID": "CVE-2019-17657", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Fortinet FortiSwitch", "version": {"version_data": [{"version_value": "below 3.6.11"}, {"version_value": "6.0.6 and 6.2.2"}]}}, {"product_name": "FortiAnalyzer", "version": {"version_data": [{"version_value": "below 6.2.3"}]}}, {"product_name": "FortiManager", "version": {"version_data": [{"version_value": "below 6.2.3"}]}}, {"product_name": "FortiAP-S/W2", "version": {"version_data": [{"version_value": "below 6.2.2"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An Uncontrolled Resource Consumption vulnerability in Fortinet FortiSwitch below 3.6.11, 6.0.6 and 6.2.2, FortiAnalyzer below 6.2.3, FortiManager below 6.2.3 and FortiAP-S/W2 below 6.2.2 may allow an attacker to cause admin webUI denial of service (DoS) via handling special crafted HTTP requests/responses in pieces slowly, as demonstrated by Slow HTTP DoS Attacks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Denial of service"}]}]}, "references": {"reference_data": [{"name": "https://fortiguard.com/psirt/FG-IR-19-013", "refsource": "CONFIRM", "url": "https://fortiguard.com/psirt/FG-IR-19-013"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:47:13.496Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://fortiguard.com/psirt/FG-IR-19-013"}]}]}, "cveMetadata": {"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "assignerShortName": "fortinet", "cveId": "CVE-2019-17657", "datePublished": "2020-04-07T17:11:07", "dateReserved": "2019-10-16T00:00:00", "dateUpdated": "2024-08-05T01:47:13.496Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "matchCriteriaId": "CBC118F5-8118-4767-A9FB-CCFBB2DFF3F9", "versionEndExcluding": "6.2.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortiap-s:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E6E6044-AADA-4674-B9DD-7D39D459BAAA", "versionEndExcluding": "6.2.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortiap-w2:*:*:*:*:*:*:*:*", "matchCriteriaId": "F3BBB116-CC43-4E5D-AAA7-BFBE1BD26886", "versionEndExcluding": "6.2.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "matchCriteriaId": "EB9669E6-96CA-4391-8515-2ACB349CF4C2", "versionEndExcluding": "6.2.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:fortinet:fortiswitch:*:*:*:*:*:*:*:*", "matchCriteriaId": "05F67FC3-A4F2-48E1-BB1F-36D993958DF5", "versionEndExcluding": "3.6.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:fortinet:fortiswitch:*:*:*:*:*:*:*:*", "matchCriteriaId": "826D813D-CC19-4B72-918E-AFCFA1C0A30E", "versionEndExcluding": "6.0.6", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:fortinet:fortiswitch:*:*:*:*:*:*:*:*", "matchCriteriaId": "7D4A4EE4-D0A7-44A9-931B-577ECDAB808B", "versionEndExcluding": "6.2.2", "versionStartIncluding": "6.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An Uncontrolled Resource Consumption vulnerability in Fortinet FortiSwitch below 3.6.11, 6.0.6 and 6.2.2, FortiAnalyzer below 6.2.3, FortiManager below 6.2.3 and FortiAP-S/W2 below 6.2.2 may allow an attacker to cause admin webUI denial of service (DoS) via handling special crafted HTTP requests/responses in pieces slowly, as demonstrated by Slow HTTP DoS Attacks."}, {"lang": "es", "value": "Una vulnerabilidad de Consumo No Controlado de Recursos en Fortinet FortiSwitch por debajo de las versiones 3.6.11, 6.0.6 y 6.2.2, FortiAnalyzer por debajo de las versiones 6.2.3, FortiManager por debajo de las funciones 6.2.3 y FortiAP-S/W2 por debajo de las versiones 6.2.2, puede permitir a un atacante causar una denegaci\u00f3n de servicio (DoS) de la Interfaz de Usuario Web Administrativa mediante el manejo de peticiones y respuestas HTTP especialmente dise\u00f1adas en partes lentamente, como es demostrado por los Ataques de DoS de HTTP Lento."}], "id": "CVE-2019-17657", "lastModified": "2020-04-08T19:18:03.237", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-07T18:15:13.510", "references": [{"source": "psirt@fortinet.com", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-19-013"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}