CVE-2023-26208 - Vulnerability Details - OpenCVE

A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiAuthenticator 6.4.x and before allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.05073.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Fortinet	Fortiauthenticator

Configuration 1 [-]

cpe:2.3:a:fortinet:fortiauthenticator:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-30033	A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiAuthenticator 6.4.x and before allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form.

Fixes

Solution

Please upgrade to FortiAuthenticator version 6.5.0 or above, Please upgrade to FortiDeceptor version 3.2.0 or above. Please upgrade to FortiMail version 6.4.1 or above, Please upgrade to FortiMail version 6.2.5 or above, Please upgrade to FortiMail version 6.0.10 or above.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://fortiguard.com/psirt/FG-IR-20-078

History

Tue, 22 Oct 2024 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2023-03-09T14:55:08.396Z

Updated: 2024-10-22T20:47:53.846Z

Reserved: 2023-02-20T15:09:20.636Z

Link: CVE-2023-26208

Vulnrichment

Updated: 2024-08-02T11:46:23.306Z

NVD

Status : Modified

Published: 2023-03-09T15:15:09.637

Modified: 2024-11-21T07:50:55.147

Link: CVE-2023-26208

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-26208", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2023-02-20T15:09:20.636Z", "datePublished": "2023-03-09T14:55:08.396Z", "dateUpdated": "2024-10-22T20:47:53.846Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiAuthenticator", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "6.4.0", "lessThanOrEqual": "6.4.6", "status": "affected"}, {"versionType": "semver", "version": "6.3.0", "lessThanOrEqual": "6.3.3", "status": "affected"}, {"versionType": "semver", "version": "6.2.0", "lessThanOrEqual": "6.2.1", "status": "affected"}, {"versionType": "semver", "version": "6.1.0", "lessThanOrEqual": "6.1.2", "status": "affected"}, {"versionType": "semver", "version": "6.0.0", "lessThanOrEqual": "6.0.7", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiAuthenticator 6.4.x and before allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending\u00a0numerous HTTP requests to the login form."}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2023-03-09T14:55:08.396Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-307", "description": "Denial of service", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:X"}}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiAuthenticator\u00a0version 6.5.0\u00a0or above,\nPlease upgrade to FortiDeceptor\u00a0version 3.2.0\u00a0or above.\nPlease upgrade to FortiMail\u00a0version 6.4.1 or above,\r\nPlease upgrade to FortiMail version 6.2.5\u00a0or above,\r\nPlease upgrade to FortiMail version 6.0.10\u00a0or above."}], "references": [{"name": "https://fortiguard.com/psirt/FG-IR-20-078", "url": "https://fortiguard.com/psirt/FG-IR-20-078"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:46:23.306Z"}, "title": "CVE Program Container", "references": [{"name": "https://fortiguard.com/psirt/FG-IR-20-078", "url": "https://fortiguard.com/psirt/FG-IR-20-078", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-22T20:18:20.330286Z", "id": "CVE-2023-26208", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T20:47:53.846Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://fortiguard.com/psirt/FG-IR-20-078", "name": "https://fortiguard.com/psirt/FG-IR-20-078", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:46:23.306Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-26208", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-22T20:18:20.330286Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T20:20:39.603Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:X", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Fortinet", "product": "FortiAuthenticator", "versions": [{"status": "affected", "version": "6.4.0", "versionType": "semver", "lessThanOrEqual": "6.4.6"}, {"status": "affected", "version": "6.3.0", "versionType": "semver", "lessThanOrEqual": "6.3.3"}, {"status": "affected", "version": "6.2.0", "versionType": "semver", "lessThanOrEqual": "6.2.1"}, {"status": "affected", "version": "6.1.0", "versionType": "semver", "lessThanOrEqual": "6.1.2"}, {"status": "affected", "version": "6.0.0", "versionType": "semver", "lessThanOrEqual": "6.0.7"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiAuthenticator\u00a0version 6.5.0\u00a0or above,\nPlease upgrade to FortiDeceptor\u00a0version 3.2.0\u00a0or above.\nPlease upgrade to FortiMail\u00a0version 6.4.1 or above,\r\nPlease upgrade to FortiMail version 6.2.5\u00a0or above,\r\nPlease upgrade to FortiMail version 6.0.10\u00a0or above."}], "references": [{"url": "https://fortiguard.com/psirt/FG-IR-20-078", "name": "https://fortiguard.com/psirt/FG-IR-20-078"}], "descriptions": [{"lang": "en", "value": "A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiAuthenticator 6.4.x and before allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending\u00a0numerous HTTP requests to the login form."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "Denial of service"}]}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2023-03-09T14:55:08.396Z"}}}, "cveMetadata": {"cveId": "CVE-2023-26208", "state": "PUBLISHED", "dateUpdated": "2024-10-22T20:47:53.846Z", "dateReserved": "2023-02-20T15:09:20.636Z", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "datePublished": "2023-03-09T14:55:08.396Z", "assignerShortName": "fortinet"}, "dataVersion": "5.1"}