Search criteria
6 vulnerabilities found for fortitoken_mobile by fortinet
FKIE_CVE-2021-22131
Vulnerability from fkie_nvd - Published: 2022-07-18 18:15 - Updated: 2024-11-21 05:49
Severity ?
6.4 (Medium) - CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H
5.4 (Medium) - CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
Summary
A improper validation of certificate with host mismatch in Fortinet FortiTokenAndroid version 5.0.3 and below, Fortinet FortiTokeniOS version 5.2.0 and below, Fortinet FortiTokenWinApp version 4.0.3 and below allows attacker to retrieve information disclosed via man-in-the-middle attacks.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@fortinet.com | https://fortiguard.com/advisory/FG-IR-21-024 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://fortiguard.com/advisory/FG-IR-21-024 | Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:0.4.10:*:*:*:*:android:*:*",
"matchCriteriaId": "78409CFC-A286-4BC2-A6CC-3AA0713B5B95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:0.4.20:*:*:*:*:android:*:*",
"matchCriteriaId": "8607115D-DF4D-4FF8-892E-5F249E8DBD49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:3.0.0:*:*:*:*:android:*:*",
"matchCriteriaId": "B9C01846-DEC3-4D82-9CF8-7A7F30E3D24E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:3.0.0:*:*:*:*:windows:*:*",
"matchCriteriaId": "6BE8D5E7-54A6-41F8-AEE5-4B5494F526E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:3.0.1:*:*:*:*:android:*:*",
"matchCriteriaId": "78A9D2E4-C44A-4E2D-8653-34125C60D36D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:3.0.1:*:*:*:*:ios:*:*",
"matchCriteriaId": "646EA1B7-DC75-48C9-9253-4C2A73EBAB4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:3.0.1:*:*:*:*:windows:*:*",
"matchCriteriaId": "EFBCBD58-7F9F-4972-B283-843A341BF3D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:3.0.2:*:*:*:*:android:*:*",
"matchCriteriaId": "745A6368-1A53-4CE7-9FC0-D7691841A5A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:3.0.2:*:*:*:*:ios:*:*",
"matchCriteriaId": "66F1224F-B105-421E-B8A4-1ADB4E6D6C97",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:3.0.3:*:*:*:*:android:*:*",
"matchCriteriaId": "4F8B1290-410C-4DF8-8F32-D7606D6ED70C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:3.0.3:*:*:*:*:ios:*:*",
"matchCriteriaId": "F12596B9-1FD1-4DEE-B914-3BE4AB0D4954",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:3.0.4:*:*:*:*:android:*:*",
"matchCriteriaId": "A91D1B9C-1E80-4F1F-9C87-B2F8BBC238CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:3.0.4:*:*:*:*:ios:*:*",
"matchCriteriaId": "DB309927-9668-485A-B103-4B49B158F9FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:3.0.5:*:*:*:*:ios:*:*",
"matchCriteriaId": "E6C89656-4142-459C-A7D0-1AD56D8912DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:4.0.0:*:*:*:*:android:*:*",
"matchCriteriaId": "3955B1D6-2A19-4233-B4D9-8B4164953FC5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:4.0.1:*:*:*:*:android:*:*",
"matchCriteriaId": "C73200A0-7927-4BB7-BFC3-F3096A36C885",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:4.0.3:*:*:*:*:windows:*:*",
"matchCriteriaId": "64352CBC-EE83-41E0-AA38-63F1BE9C6BFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:4.1.0:*:*:*:*:ios:*:*",
"matchCriteriaId": "359238E3-41BD-4CF1-8DBE-D870AC8B957C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:4.1.1:*:*:*:*:android:*:*",
"matchCriteriaId": "13450557-F714-440B-ACE4-16CB73FE0671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:4.1.1:*:*:*:*:ios:*:*",
"matchCriteriaId": "0FBE4948-CC88-48EA-AA98-7FFA6CB64620",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:4.2.0:*:*:*:*:ios:*:*",
"matchCriteriaId": "081B181E-C83F-43B1-B403-66F39E9F19B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:4.2.1:*:*:*:*:android:*:*",
"matchCriteriaId": "9136197A-B12B-4CAF-9E29-4C5FE449CA4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:4.2.2:*:*:*:*:android:*:*",
"matchCriteriaId": "4C141581-C3A0-40AD-9653-09A807DAD6CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:4.3.0:*:*:*:*:android:*:*",
"matchCriteriaId": "F15B4E41-3064-4EC5-8E7B-28E3C1F0C2D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:4.3.0:*:*:*:*:ios:*:*",
"matchCriteriaId": "0A1901AC-78BB-488A-85E0-DF7596018CAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:4.4.0:*:*:*:*:android:*:*",
"matchCriteriaId": "469E9D0A-A62D-4827-9CCC-273E8DBDF803",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:4.5.0:*:*:*:*:android:*:*",
"matchCriteriaId": "94A1FD51-E7EB-46B0-876F-FC4DBCD9F067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:5.0.2:*:*:*:*:android:*:*",
"matchCriteriaId": "C7D9D6C0-3BEE-4AA7-89F0-3F403BE9899F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:5.0.3:*:*:*:*:android:*:*",
"matchCriteriaId": "D5AD4616-8E63-4454-B443-F25226796FDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:5.2.0:*:*:*:*:ios:*:*",
"matchCriteriaId": "B395A92E-6FE3-42E1-97F3-3FB6FB1C2AF9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A improper validation of certificate with host mismatch in Fortinet FortiTokenAndroid version 5.0.3 and below, Fortinet FortiTokeniOS version 5.2.0 and below, Fortinet FortiTokenWinApp version 4.0.3 and below allows attacker to retrieve information disclosed via man-in-the-middle attacks."
},
{
"lang": "es",
"value": "Una comprobaci\u00f3n incorrecta del certificado con desajuste de host en Fortinet FortiTokenAndroid versi\u00f3n 5.0.3 y posteriores, Fortinet FortiTokeniOS versi\u00f3n 5.2.0 y posteriores, Fortinet FortiTokenWinApp versi\u00f3n 4.0.3 y posteriores permite a un atacante recuperar informaci\u00f3n divulgada por medio de ataques de tipo man-in-the-middle"
}
],
"id": "CVE-2021-22131",
"lastModified": "2024-11-21T05:49:33.903",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.2,
"source": "psirt@fortinet.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-18T18:15:08.620",
"references": [
{
"source": "psirt@fortinet.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://fortiguard.com/advisory/FG-IR-21-024"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://fortiguard.com/advisory/FG-IR-21-024"
}
],
"sourceIdentifier": "psirt@fortinet.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-44166
Vulnerability from fkie_nvd - Published: 2022-03-02 10:15 - Updated: 2024-11-21 06:30
Severity ?
4.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
4.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
4.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
Summary
An improper access control vulnerability [CWE-284 ] in FortiToken Mobile (Android) external push notification 5.1.0 and below may allow a remote attacker having already obtained a user's password to access the protected system during the 2FA procedure, even though the deny button is clicked by the legitimate user.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@fortinet.com | https://fortiguard.com/psirt/FG-IR-21-210 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://fortiguard.com/psirt/FG-IR-21-210 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| fortinet | fortitoken_mobile | 4.0.0 | |
| fortinet | fortitoken_mobile | 4.0.1 | |
| fortinet | fortitoken_mobile | 4.1.1 | |
| fortinet | fortitoken_mobile | 4.2.1 | |
| fortinet | fortitoken_mobile | 4.2.2 | |
| fortinet | fortitoken_mobile | 4.3.0 | |
| fortinet | fortitoken_mobile | 4.4.0 | |
| fortinet | fortitoken_mobile | 4.5.0 | |
| fortinet | fortitoken_mobile | 5.0.2 | |
| fortinet | fortitoken_mobile | 5.0.3 | |
| fortinet | fortitoken_mobile | 5.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:4.0.0:*:*:*:*:android:*:*",
"matchCriteriaId": "3955B1D6-2A19-4233-B4D9-8B4164953FC5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:4.0.1:*:*:*:*:android:*:*",
"matchCriteriaId": "C73200A0-7927-4BB7-BFC3-F3096A36C885",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:4.1.1:*:*:*:*:android:*:*",
"matchCriteriaId": "13450557-F714-440B-ACE4-16CB73FE0671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:4.2.1:*:*:*:*:android:*:*",
"matchCriteriaId": "9136197A-B12B-4CAF-9E29-4C5FE449CA4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:4.2.2:*:*:*:*:android:*:*",
"matchCriteriaId": "4C141581-C3A0-40AD-9653-09A807DAD6CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:4.3.0:*:*:*:*:android:*:*",
"matchCriteriaId": "F15B4E41-3064-4EC5-8E7B-28E3C1F0C2D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:4.4.0:*:*:*:*:android:*:*",
"matchCriteriaId": "469E9D0A-A62D-4827-9CCC-273E8DBDF803",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:4.5.0:*:*:*:*:android:*:*",
"matchCriteriaId": "94A1FD51-E7EB-46B0-876F-FC4DBCD9F067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:5.0.2:*:*:*:*:android:*:*",
"matchCriteriaId": "C7D9D6C0-3BEE-4AA7-89F0-3F403BE9899F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:5.0.3:*:*:*:*:android:*:*",
"matchCriteriaId": "D5AD4616-8E63-4454-B443-F25226796FDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortitoken_mobile:5.1.0:*:*:*:*:android:*:*",
"matchCriteriaId": "A5542F78-EB6C-4F4D-BBED-60D5B411C8B7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An improper access control vulnerability [CWE-284 ] in FortiToken Mobile (Android) external push notification 5.1.0 and below may allow a remote attacker having already obtained a user\u0027s password to access the protected system during the 2FA procedure, even though the deny button is clicked by the legitimate user."
},
{
"lang": "es",
"value": "Una vulnerabilidad de control de acceso inapropiado [CWE-284 ] en la notificaci\u00f3n push externa de FortiToken Mobile (Android) versiones 5.1.0 y anteriores, puede permitir a un atacante remoto que ya haya obtenido la contrase\u00f1a de un usuario acceder al sistema protegido durante el procedimiento de 2FA, aunque el usuario leg\u00edtimo haga clic en el bot\u00f3n de denegaci\u00f3n"
}
],
"id": "CVE-2021-44166",
"lastModified": "2024-11-21T06:30:29.077",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 1.4,
"source": "psirt@fortinet.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-02T10:15:07.750",
"references": [
{
"source": "psirt@fortinet.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://fortiguard.com/psirt/FG-IR-21-210"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://fortiguard.com/psirt/FG-IR-21-210"
}
],
"sourceIdentifier": "psirt@fortinet.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2021-22131 (GCVE-0-2021-22131)
Vulnerability from cvelistv5 – Published: 2022-07-18 16:35 – Updated: 2024-10-22 20:56
VLAI?
Summary
A improper validation of certificate with host mismatch in Fortinet FortiTokenAndroid version 5.0.3 and below, Fortinet FortiTokeniOS version 5.2.0 and below, Fortinet FortiTokenWinApp version 4.0.3 and below allows attacker to retrieve information disclosed via man-in-the-middle attacks.
Severity ?
CWE
- Information disclosure
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Fortinet | Fortinet FortiTokenAndroid, Fortinet FortiTokeniOS, Fortinet FortiTokenWinApp |
Affected:
FortiTokenAndroid 5.0.3, 5.0.2, 4.5.0, 4.4.0, 4.3.0, 4.2.2, 4.2.1, 4.1.1, 4.0.1, 4.0.0, 3.0.4, 3.0.3, 3.0.2, 3.0.1, 3.0.0, 0.4.20, 0.4.10, FortiTokeniOS 5.2.0, 4.3.0, 4.2.0, 4.1.1, 3.0.5, 3.0.4, 3.0.3, 3.0.2, 3.0.1, FortiTokenWinApp 4.0.3, 3.0.1, 3.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:30:24.005Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://fortiguard.com/advisory/FG-IR-21-024"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-22131",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T20:19:26.926959Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T20:56:26.493Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fortinet FortiTokenAndroid, Fortinet FortiTokeniOS, Fortinet FortiTokenWinApp",
"vendor": "Fortinet",
"versions": [
{
"status": "affected",
"version": "FortiTokenAndroid 5.0.3, 5.0.2, 4.5.0, 4.4.0, 4.3.0, 4.2.2, 4.2.1, 4.1.1, 4.0.1, 4.0.0, 3.0.4, 3.0.3, 3.0.2, 3.0.1, 3.0.0, 0.4.20, 0.4.10, FortiTokeniOS 5.2.0, 4.3.0, 4.2.0, 4.1.1, 3.0.5, 3.0.4, 3.0.3, 3.0.2, 3.0.1, FortiTokenWinApp 4.0.3, 3.0.1, 3.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A improper validation of certificate with host mismatch in Fortinet FortiTokenAndroid version 5.0.3 and below, Fortinet FortiTokeniOS version 5.2.0 and below, Fortinet FortiTokenWinApp version 4.0.3 and below allows attacker to retrieve information disclosed via man-in-the-middle attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 6.1,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H/E:P/RL:X/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-18T16:35:55",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://fortiguard.com/advisory/FG-IR-21-024"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@fortinet.com",
"ID": "CVE-2021-22131",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Fortinet FortiTokenAndroid, Fortinet FortiTokeniOS, Fortinet FortiTokenWinApp",
"version": {
"version_data": [
{
"version_value": "FortiTokenAndroid 5.0.3, 5.0.2, 4.5.0, 4.4.0, 4.3.0, 4.2.2, 4.2.1, 4.1.1, 4.0.1, 4.0.0, 3.0.4, 3.0.3, 3.0.2, 3.0.1, 3.0.0, 0.4.20, 0.4.10, FortiTokeniOS 5.2.0, 4.3.0, 4.2.0, 4.1.1, 3.0.5, 3.0.4, 3.0.3, 3.0.2, 3.0.1, FortiTokenWinApp 4.0.3, 3.0.1, 3.0.0"
}
]
}
}
]
},
"vendor_name": "Fortinet"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A improper validation of certificate with host mismatch in Fortinet FortiTokenAndroid version 5.0.3 and below, Fortinet FortiTokeniOS version 5.2.0 and below, Fortinet FortiTokenWinApp version 4.0.3 and below allows attacker to retrieve information disclosed via man-in-the-middle attacks."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "High",
"attackVector": "Adjacent",
"availabilityImpact": "High",
"baseScore": 6.1,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"userInteraction": "Required",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H/E:P/RL:X/RC:C",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fortiguard.com/advisory/FG-IR-21-024",
"refsource": "CONFIRM",
"url": "https://fortiguard.com/advisory/FG-IR-21-024"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2021-22131",
"datePublished": "2022-07-18T16:35:56",
"dateReserved": "2021-01-04T00:00:00",
"dateUpdated": "2024-10-22T20:56:26.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44166 (GCVE-0-2021-44166)
Vulnerability from cvelistv5 – Published: 2022-03-02 10:00 – Updated: 2024-10-22 21:00
VLAI?
Summary
An improper access control vulnerability [CWE-284 ] in FortiToken Mobile (Android) external push notification 5.1.0 and below may allow a remote attacker having already obtained a user's password to access the protected system during the 2FA procedure, even though the deny button is clicked by the legitimate user.
Severity ?
CWE
- Improper access control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Fortinet | Fortinet FortiTokenAndroid |
Affected:
FortiTokenAndroid 5.1.0 and below
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:17:24.370Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://fortiguard.com/psirt/FG-IR-21-210"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-44166",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T20:19:45.705370Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T21:00:22.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fortinet FortiTokenAndroid",
"vendor": "Fortinet",
"versions": [
{
"status": "affected",
"version": "FortiTokenAndroid 5.1.0 and below"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An improper access control vulnerability [CWE-284 ] in FortiToken Mobile (Android) external push notification 5.1.0 and below may allow a remote attacker having already obtained a user\u0027s password to access the protected system during the 2FA procedure, even though the deny button is clicked by the legitimate user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "FUNCTIONAL",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"remediationLevel": "UNAVAILABLE",
"reportConfidence": "REASONABLE",
"scope": "CHANGED",
"temporalScore": 3.9,
"temporalSeverity": "LOW",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N/E:F/RL:U/RC:R",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper access control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-02T10:00:26",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://fortiguard.com/psirt/FG-IR-21-210"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@fortinet.com",
"ID": "CVE-2021-44166",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Fortinet FortiTokenAndroid",
"version": {
"version_data": [
{
"version_value": "FortiTokenAndroid 5.1.0 and below"
}
]
}
}
]
},
"vendor_name": "Fortinet"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An improper access control vulnerability [CWE-284 ] in FortiToken Mobile (Android) external push notification 5.1.0 and below may allow a remote attacker having already obtained a user\u0027s password to access the protected system during the 2FA procedure, even though the deny button is clicked by the legitimate user."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "None",
"baseScore": 3.9,
"baseSeverity": "Low",
"confidentialityImpact": "None",
"integrityImpact": "Low",
"privilegesRequired": "Low",
"scope": "Changed",
"userInteraction": "Required",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N/E:F/RL:U/RC:R",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper access control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fortiguard.com/psirt/FG-IR-21-210",
"refsource": "CONFIRM",
"url": "https://fortiguard.com/psirt/FG-IR-21-210"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2021-44166",
"datePublished": "2022-03-02T10:00:26",
"dateReserved": "2021-11-23T00:00:00",
"dateUpdated": "2024-10-22T21:00:22.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-22131 (GCVE-0-2021-22131)
Vulnerability from nvd – Published: 2022-07-18 16:35 – Updated: 2024-10-22 20:56
VLAI?
Summary
A improper validation of certificate with host mismatch in Fortinet FortiTokenAndroid version 5.0.3 and below, Fortinet FortiTokeniOS version 5.2.0 and below, Fortinet FortiTokenWinApp version 4.0.3 and below allows attacker to retrieve information disclosed via man-in-the-middle attacks.
Severity ?
CWE
- Information disclosure
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Fortinet | Fortinet FortiTokenAndroid, Fortinet FortiTokeniOS, Fortinet FortiTokenWinApp |
Affected:
FortiTokenAndroid 5.0.3, 5.0.2, 4.5.0, 4.4.0, 4.3.0, 4.2.2, 4.2.1, 4.1.1, 4.0.1, 4.0.0, 3.0.4, 3.0.3, 3.0.2, 3.0.1, 3.0.0, 0.4.20, 0.4.10, FortiTokeniOS 5.2.0, 4.3.0, 4.2.0, 4.1.1, 3.0.5, 3.0.4, 3.0.3, 3.0.2, 3.0.1, FortiTokenWinApp 4.0.3, 3.0.1, 3.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:30:24.005Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://fortiguard.com/advisory/FG-IR-21-024"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-22131",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T20:19:26.926959Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T20:56:26.493Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fortinet FortiTokenAndroid, Fortinet FortiTokeniOS, Fortinet FortiTokenWinApp",
"vendor": "Fortinet",
"versions": [
{
"status": "affected",
"version": "FortiTokenAndroid 5.0.3, 5.0.2, 4.5.0, 4.4.0, 4.3.0, 4.2.2, 4.2.1, 4.1.1, 4.0.1, 4.0.0, 3.0.4, 3.0.3, 3.0.2, 3.0.1, 3.0.0, 0.4.20, 0.4.10, FortiTokeniOS 5.2.0, 4.3.0, 4.2.0, 4.1.1, 3.0.5, 3.0.4, 3.0.3, 3.0.2, 3.0.1, FortiTokenWinApp 4.0.3, 3.0.1, 3.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A improper validation of certificate with host mismatch in Fortinet FortiTokenAndroid version 5.0.3 and below, Fortinet FortiTokeniOS version 5.2.0 and below, Fortinet FortiTokenWinApp version 4.0.3 and below allows attacker to retrieve information disclosed via man-in-the-middle attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 6.1,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H/E:P/RL:X/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-18T16:35:55",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://fortiguard.com/advisory/FG-IR-21-024"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@fortinet.com",
"ID": "CVE-2021-22131",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Fortinet FortiTokenAndroid, Fortinet FortiTokeniOS, Fortinet FortiTokenWinApp",
"version": {
"version_data": [
{
"version_value": "FortiTokenAndroid 5.0.3, 5.0.2, 4.5.0, 4.4.0, 4.3.0, 4.2.2, 4.2.1, 4.1.1, 4.0.1, 4.0.0, 3.0.4, 3.0.3, 3.0.2, 3.0.1, 3.0.0, 0.4.20, 0.4.10, FortiTokeniOS 5.2.0, 4.3.0, 4.2.0, 4.1.1, 3.0.5, 3.0.4, 3.0.3, 3.0.2, 3.0.1, FortiTokenWinApp 4.0.3, 3.0.1, 3.0.0"
}
]
}
}
]
},
"vendor_name": "Fortinet"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A improper validation of certificate with host mismatch in Fortinet FortiTokenAndroid version 5.0.3 and below, Fortinet FortiTokeniOS version 5.2.0 and below, Fortinet FortiTokenWinApp version 4.0.3 and below allows attacker to retrieve information disclosed via man-in-the-middle attacks."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "High",
"attackVector": "Adjacent",
"availabilityImpact": "High",
"baseScore": 6.1,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"userInteraction": "Required",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H/E:P/RL:X/RC:C",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fortiguard.com/advisory/FG-IR-21-024",
"refsource": "CONFIRM",
"url": "https://fortiguard.com/advisory/FG-IR-21-024"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2021-22131",
"datePublished": "2022-07-18T16:35:56",
"dateReserved": "2021-01-04T00:00:00",
"dateUpdated": "2024-10-22T20:56:26.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44166 (GCVE-0-2021-44166)
Vulnerability from nvd – Published: 2022-03-02 10:00 – Updated: 2024-10-22 21:00
VLAI?
Summary
An improper access control vulnerability [CWE-284 ] in FortiToken Mobile (Android) external push notification 5.1.0 and below may allow a remote attacker having already obtained a user's password to access the protected system during the 2FA procedure, even though the deny button is clicked by the legitimate user.
Severity ?
CWE
- Improper access control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Fortinet | Fortinet FortiTokenAndroid |
Affected:
FortiTokenAndroid 5.1.0 and below
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:17:24.370Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://fortiguard.com/psirt/FG-IR-21-210"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-44166",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T20:19:45.705370Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T21:00:22.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fortinet FortiTokenAndroid",
"vendor": "Fortinet",
"versions": [
{
"status": "affected",
"version": "FortiTokenAndroid 5.1.0 and below"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An improper access control vulnerability [CWE-284 ] in FortiToken Mobile (Android) external push notification 5.1.0 and below may allow a remote attacker having already obtained a user\u0027s password to access the protected system during the 2FA procedure, even though the deny button is clicked by the legitimate user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "FUNCTIONAL",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"remediationLevel": "UNAVAILABLE",
"reportConfidence": "REASONABLE",
"scope": "CHANGED",
"temporalScore": 3.9,
"temporalSeverity": "LOW",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N/E:F/RL:U/RC:R",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper access control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-02T10:00:26",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://fortiguard.com/psirt/FG-IR-21-210"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@fortinet.com",
"ID": "CVE-2021-44166",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Fortinet FortiTokenAndroid",
"version": {
"version_data": [
{
"version_value": "FortiTokenAndroid 5.1.0 and below"
}
]
}
}
]
},
"vendor_name": "Fortinet"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An improper access control vulnerability [CWE-284 ] in FortiToken Mobile (Android) external push notification 5.1.0 and below may allow a remote attacker having already obtained a user\u0027s password to access the protected system during the 2FA procedure, even though the deny button is clicked by the legitimate user."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "None",
"baseScore": 3.9,
"baseSeverity": "Low",
"confidentialityImpact": "None",
"integrityImpact": "Low",
"privilegesRequired": "Low",
"scope": "Changed",
"userInteraction": "Required",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N/E:F/RL:U/RC:R",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper access control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fortiguard.com/psirt/FG-IR-21-210",
"refsource": "CONFIRM",
"url": "https://fortiguard.com/psirt/FG-IR-21-210"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2021-44166",
"datePublished": "2022-03-02T10:00:26",
"dateReserved": "2021-11-23T00:00:00",
"dateUpdated": "2024-10-22T21:00:22.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}