Details of VAR-202102-0771

ID

VAR-202102-0771

CVE

CVE-2020-6649

TITLE

FortiNet FortiIsolator Session deadline vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-015916

DESCRIPTION

An insufficient session expiration vulnerability in FortiNet's FortiIsolator version 2.0.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks). FortiNet FortiIsolator Is vulnerable to a session expiration.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Fortinet FortiIsolator is an application provided by Fortinet Corporation of the United States to provide remote security isolation functions for browsers. The application adds additional advanced threat protection to the Fortinet Security Fabric and protects critical business data from sophisticated threats on the network. Content and files from the web are accessed in remote containers, which then present risk-free content to users

Trust: 1.71

sources: NVD: CVE-2020-6649 // JVNDB: JVNDB-2020-015916 // VULHUB: VHN-184774

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortiisolator	scope:	lte	version:	2.0.1	Trust: 1.0
vendor:	フォーティネット	model:	fortiisolator	scope:	lte	version:	2.0.1 and earlier	Trust: 0.8
vendor:	フォーティネット	model:	fortiisolator	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-015916 // NVD: CVE-2020-6649

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-6649
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2020-6649
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202102-564
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-184774
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2020-6649
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-184774
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-6649
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2020-6649
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-184774 // JVNDB: JVNDB-2020-015916 // CNNVD: CNNVD-202102-564 // NVD: CVE-2020-6649

PROBLEMTYPE DATA

problemtype:	CWE-613	Trust: 1.1
problemtype:	Inappropriate session deadline (CWE-613) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-184774 // JVNDB: JVNDB-2020-015916 // NVD: CVE-2020-6649

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202102-564

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202102-564

PATCH

title:	FG-IR-20-011	url:	https://www.fortiguard.com/psirt/FG-IR-20-011	Trust: 0.8
title:	Fortinet FortiIsolator Fixes for code issue vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=141730	Trust: 0.6

sources: JVNDB: JVNDB-2020-015916 // CNNVD: CNNVD-202102-564

EXTERNAL IDS

db:	NVD	id:	CVE-2020-6649	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-015916	Trust: 0.8
db:	CNNVD	id:	CNNVD-202102-564	Trust: 0.7
db:	AUSCERT	id:	ESB-2021.0413	Trust: 0.6
db:	VULHUB	id:	VHN-184774	Trust: 0.1

sources: VULHUB: VHN-184774 // JVNDB: JVNDB-2020-015916 // CNNVD: CNNVD-202102-564 // NVD: CVE-2020-6649

REFERENCES

url:	https://fortiguard.com/advisory/fg-ir-20-011	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6649	Trust: 1.4
url:	https://www.auscert.org.au/bulletins/esb-2021.0413	Trust: 0.6

sources: VULHUB: VHN-184774 // JVNDB: JVNDB-2020-015916 // CNNVD: CNNVD-202102-564 // NVD: CVE-2020-6649

SOURCES

db:	VULHUB	id:	VHN-184774
db:	JVNDB	id:	JVNDB-2020-015916
db:	CNNVD	id:	CNNVD-202102-564
db:	NVD	id:	CVE-2020-6649

LAST UPDATE DATE

2024-11-23T21:51:02.780000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-184774	date:	2021-02-10T00:00:00
db:	JVNDB	id:	JVNDB-2020-015916	date:	2021-10-22T08:29:00
db:	CNNVD	id:	CNNVD-202102-564	date:	2021-02-18T00:00:00
db:	NVD	id:	CVE-2020-6649	date:	2024-11-21T05:36:05.680

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-184774	date:	2021-02-08T00:00:00
db:	JVNDB	id:	JVNDB-2020-015916	date:	2021-10-22T00:00:00
db:	CNNVD	id:	CNNVD-202102-564	date:	2021-02-05T00:00:00
db:	NVD	id:	CVE-2020-6649	date:	2021-02-08T16:15:11.907