{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-42761", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2021-10-20T17:44:45.605Z", "datePublished": "2023-02-16T18:05:36.868Z", "dateUpdated": "2024-10-23T14:50:09.331Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiWeb", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "6.4.0", "lessThanOrEqual": "6.4.2", "status": "affected"}, {"versionType": "semver", "version": "6.3.0", "lessThanOrEqual": "6.3.16", "status": "affected"}, {"versionType": "semver", "version": "6.2.0", "lessThanOrEqual": "6.2.6", "status": "affected"}, {"versionType": "semver", "version": "6.1.0", "lessThanOrEqual": "6.1.2", "status": "affected"}, {"versionType": "semver", "version": "6.0.0", "lessThanOrEqual": "6.0.7", "status": "affected"}, {"versionType": "semver", "version": "5.9.0", "lessThanOrEqual": "5.9.1", "status": "affected"}, {"versionType": "semver", "version": "5.8.5", "lessThanOrEqual": "5.8.7", "status": "affected"}, {"versionType": "semver", "version": "5.8.0", "lessThanOrEqual": "5.8.3", "status": "affected"}, {"versionType": "semver", "version": "5.7.0", "lessThanOrEqual": "5.7.3", "status": "affected"}, {"versionType": "semver", "version": "5.6.0", "lessThanOrEqual": "5.6.2", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A condition\u00a0for session\u00a0fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 through 6.0.7, 5.9.0 through 5.9.1 may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session."}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2023-02-16T18:05:36.868Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-384", "description": "Improper access control", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C"}}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiWeb version 7.0.0 or above\r\nPlease upgrade to FortiWeb version 6.3.17 or above\r\nPlease upgrade to FortiWeb version 6.2.7 or above\r\nPlease upgrade to FortiWeb version 6.1.3 or above\r\nPlease upgrade to FortiWeb version 6.0.8 or above\r\nPlease upgrade to FortiWeb version 5.9.2 or above"}], "references": [{"name": "https://fortiguard.com/psirt/FG-IR-21-214", "url": "https://fortiguard.com/psirt/FG-IR-21-214"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:38:50.222Z"}, "title": "CVE Program Container", "references": [{"name": "https://fortiguard.com/psirt/FG-IR-21-214", "url": "https://fortiguard.com/psirt/FG-IR-21-214", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-23T14:11:58.060246Z", "id": "CVE-2021-42761", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-23T14:50:09.331Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://fortiguard.com/psirt/FG-IR-21-214", "name": "https://fortiguard.com/psirt/FG-IR-21-214", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:38:50.222Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-42761", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-23T14:11:58.060246Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-23T14:15:34.040Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Fortinet", "product": "FortiWeb", "versions": [{"status": "affected", "version": "6.4.0", "versionType": "semver", "lessThanOrEqual": "6.4.2"}, {"status": "affected", "version": "6.3.0", "versionType": "semver", "lessThanOrEqual": "6.3.16"}, {"status": "affected", "version": "6.2.0", "versionType": "semver", "lessThanOrEqual": "6.2.6"}, {"status": "affected", "version": "6.1.0", "versionType": "semver", "lessThanOrEqual": "6.1.2"}, {"status": "affected", "version": "6.0.0", "versionType": "semver", "lessThanOrEqual": "6.0.7"}, {"status": "affected", "version": "5.9.0", "versionType": "semver", "lessThanOrEqual": "5.9.1"}, {"status": "affected", "version": "5.8.5", "versionType": "semver", "lessThanOrEqual": "5.8.7"}, {"status": "affected", "version": "5.8.0", "versionType": "semver", "lessThanOrEqual": "5.8.3"}, {"status": "affected", "version": "5.7.0", "versionType": "semver", "lessThanOrEqual": "5.7.3"}, {"status": "affected", "version": "5.6.0", "versionType": "semver", "lessThanOrEqual": "5.6.2"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiWeb version 7.0.0 or above\r\nPlease upgrade to FortiWeb version 6.3.17 or above\r\nPlease upgrade to FortiWeb version 6.2.7 or above\r\nPlease upgrade to FortiWeb version 6.1.3 or above\r\nPlease upgrade to FortiWeb version 6.0.8 or above\r\nPlease upgrade to FortiWeb version 5.9.2 or above"}], "references": [{"url": "https://fortiguard.com/psirt/FG-IR-21-214", "name": "https://fortiguard.com/psirt/FG-IR-21-214"}], "descriptions": [{"lang": "en", "value": "A condition\u00a0for session\u00a0fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 through 6.0.7, 5.9.0 through 5.9.1 may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-384", "description": "Improper access control"}]}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2023-02-16T18:05:36.868Z"}}}, "cveMetadata": {"cveId": "CVE-2021-42761", "state": "PUBLISHED", "dateUpdated": "2024-10-23T14:50:09.331Z", "dateReserved": "2021-10-20T17:44:45.605Z", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "datePublished": "2023-02-16T18:05:36.868Z", "assignerShortName": "fortinet"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*", "matchCriteriaId": "E8FDE2B1-1E8E-4DA7-B545-487914EF232D", "versionEndExcluding": "5.9.2", "versionStartIncluding": "5.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*", "matchCriteriaId": "8BE261E5-059D-4B89-893A-458E0B40CFD9", "versionEndExcluding": "6.0.8", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*", "matchCriteriaId": "9EFA8AB9-2777-471C-A1DA-635BDACE2F10", "versionEndExcluding": "6.1.3", "versionStartIncluding": "6.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*", "matchCriteriaId": "919112F8-1479-45F0-BE4D-91112143D2AF", "versionEndExcluding": "6.2.7", "versionStartIncluding": "6.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B1B7CFD-96E5-40EA-9CBC-48D0255081BD", "versionEndExcluding": "6.3.17", "versionStartIncluding": "6.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*", "matchCriteriaId": "1725A170-7445-459F-A682-A9EA13470393", "versionEndExcluding": "7.0.0", "versionStartIncluding": "6.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A condition\u00a0for session\u00a0fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 through 6.0.7, 5.9.0 through 5.9.1 may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session."}], "id": "CVE-2021-42761", "lastModified": "2024-11-21T06:28:07.163", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "psirt@fortinet.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-16T19:15:11.603", "references": [{"source": "psirt@fortinet.com", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-21-214"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-21-214"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "psirt@fortinet.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-384"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}