cve-2019-17656
Vulnerability from cvelistv5
Published
2021-04-12 14:14
Modified
2024-10-25 13:59
Severity ?
EPSS score ?
Summary
A Stack-based Buffer Overflow vulnerability in the HTTPD daemon of FortiOS 6.0.10 and below, 6.2.2 and below and FortiProxy 1.0.x, 1.1.x, 1.2.9 and below, 2.0.0 and below may allow an authenticated remote attacker to crash the service by sending a malformed PUT request to the server. Fortinet is not aware of any successful exploitation of this vulnerability that would lead to code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@fortinet.com | https://fortiguard.com/advisory/FG-IR-19-248 | Vendor Advisory | |
| psirt@fortinet.com | https://fortiguard.com/advisory/FG-IR-21-007 | Vendor Advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Fortinet | Fortinet FortiProxy, FortiOS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:47:13.701Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://fortiguard.com/advisory/FG-IR-19-248"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://fortiguard.com/advisory/FG-IR-21-007"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-17656",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T13:58:54.865929Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T13:59:10.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fortinet FortiProxy, FortiOS",
"vendor": "Fortinet",
"versions": [
{
"status": "affected",
"version": "FortiProxy 1.0.x, 1.1.x, 1.2.9 and below, 2.0.0 and below; FortiOS 6.0.10 and below, 6.2.2 and below"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Stack-based Buffer Overflow vulnerability in the HTTPD daemon of FortiOS 6.0.10 and below, 6.2.2 and below and FortiProxy 1.0.x, 1.1.x, 1.2.9 and below, 2.0.0 and below may allow an authenticated remote attacker to crash the service by sending a malformed PUT request to the server. Fortinet is not aware of any successful exploitation of this vulnerability that would lead to code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Crash of the HTTPD service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-12T14:14:42",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://fortiguard.com/advisory/FG-IR-19-248"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://fortiguard.com/advisory/FG-IR-21-007"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@fortinet.com",
"ID": "CVE-2019-17656",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Fortinet FortiProxy, FortiOS",
"version": {
"version_data": [
{
"version_value": "FortiProxy 1.0.x, 1.1.x, 1.2.9 and below, 2.0.0 and below; FortiOS 6.0.10 and below, 6.2.2 and below"
}
]
}
}
]
},
"vendor_name": "Fortinet"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Stack-based Buffer Overflow vulnerability in the HTTPD daemon of FortiOS 6.0.10 and below, 6.2.2 and below and FortiProxy 1.0.x, 1.1.x, 1.2.9 and below, 2.0.0 and below may allow an authenticated remote attacker to crash the service by sending a malformed PUT request to the server. Fortinet is not aware of any successful exploitation of this vulnerability that would lead to code execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "Low",
"baseScore": 5.3,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"integrityImpact": "Low",
"privilegesRequired": "Low",
"scope": "Unchanged",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Crash of the HTTPD service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fortiguard.com/advisory/FG-IR-19-248",
"refsource": "CONFIRM",
"url": "https://fortiguard.com/advisory/FG-IR-19-248"
},
{
"name": "https://fortiguard.com/advisory/FG-IR-21-007",
"refsource": "CONFIRM",
"url": "https://fortiguard.com/advisory/FG-IR-21-007"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2019-17656",
"datePublished": "2021-04-12T14:14:42",
"dateReserved": "2019-10-16T00:00:00",
"dateUpdated": "2024-10-25T13:59:10.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2019-17656\",\"sourceIdentifier\":\"psirt@fortinet.com\",\"published\":\"2021-04-12T15:15:13.827\",\"lastModified\":\"2021-04-19T16:24:58.160\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"A Stack-based Buffer Overflow vulnerability in the HTTPD daemon of FortiOS 6.0.10 and below, 6.2.2 and below and FortiProxy 1.0.x, 1.1.x, 1.2.9 and below, 2.0.0 and below may allow an authenticated remote attacker to crash the service by sending a malformed PUT request to the server. Fortinet is not aware of any successful exploitation of this vulnerability that would lead to code execution.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de desbordamiento de b\u00fafer en la regi\u00f3n stack de la memoria en el demonio HTTPD de FortiOS versiones 6.0.10 y por debajo, versiones 6.2.2 y por debajo y FortiProxy versiones 1.0.x, 1.1.x, 1.2.9 y por debajo, versiones 2.0.0 y por debajo, puede permitir a un atacante remoto autenticado bloquear el servicio mediante el env\u00edo de una petici\u00f3n PUT malformada hacia el servidor.\u0026#xa0;Fortinet no tiene conocimiento de ninguna explotaci\u00f3n con \u00e9xito de esta vulnerabilidad que podr\u00eda conllevar a una ejecuci\u00f3n de c\u00f3digo\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6},{\"source\":\"psirt@fortinet.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:N/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":4.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.0.0\",\"versionEndExcluding\":\"1.2.10\",\"matchCriteriaId\":\"388FF005-6EE2-47C4-A782-BC1911BB83A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.0.2\",\"matchCriteriaId\":\"B87B5F67-4417-4BD6-9A58-4FA5188A659C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"6.0.10\",\"matchCriteriaId\":\"9BE1BA74-CBC4-4661-91E5-68E8425D42EA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2.0\",\"versionEndIncluding\":\"6.2.2\",\"matchCriteriaId\":\"159A3E80-81C4-4D83-9735-40F8B80A87F1\"}]}]}],\"references\":[{\"url\":\"https://fortiguard.com/advisory/FG-IR-19-248\",\"source\":\"psirt@fortinet.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://fortiguard.com/advisory/FG-IR-21-007\",\"source\":\"psirt@fortinet.com\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.