Sign-up

ID

VAR-202203-1440


CVE

CVE-2021-44166


TITLE

FortiToken Mobile external push notification  Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-007703

DESCRIPTION

An improper access control vulnerability [CWE-284 ] in FortiToken Mobile (Android) external push notification 5.1.0 and below may allow a remote attacker having already obtained a user's password to access the protected system during the 2FA procedure, even though the deny button is clicked by the legitimate user. FortiToken Mobile (Android) external push notification Exists in unspecified vulnerabilities.Information may be tampered with. Fortinet FortiToken Mobile is an Oath-compliant, event-based, and time-based one-time password (Otp) generator application from Fortinet, Inc., USA. There is an access control error vulnerability in Fortinet FortiToken Mobile 5.1.0 and below. This vulnerability stems from the network system or product not properly restricting resource access from unauthorized roles. Attackers can use this vulnerability to obtain user passwords in 2FA

Trust: 1.71

sources: NVD: CVE-2021-44166 // JVNDB: JVNDB-2022-007703 // VULHUB: VHN-406773

AFFECTED PRODUCTS

vendor:fortinetmodel:fortitoken mobilescope:eqversion:5.0.3

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:4.5.0

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:5.0.2

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:4.0.1

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:4.3.0

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:4.2.1

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:4.4.0

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:5.1.0

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:4.1.1

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:4.2.2

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:4.0.0

Trust: 1.0

vendor:フォーティネットmodel:fortitoken mobilescope:lteversion:5.1.0 and earlier

Trust: 0.8

vendor:フォーティネットmodel:fortitoken mobilescope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-007703 // NVD: CVE-2021-44166

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-44166
value: MEDIUM

Trust: 1.0

psirt@fortinet.com: CVE-2021-44166
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-44166
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202203-068
value: MEDIUM

Trust: 0.6

VULHUB: VHN-406773
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2021-44166
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-406773
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-44166
baseSeverity: MEDIUM
baseScore: 4.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 1.4
version: 3.1

Trust: 2.0

OTHER: JVNDB-2022-007703
baseSeverity: MEDIUM
baseScore: 4.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-406773 // JVNDB: JVNDB-2022-007703 // CNNVD: CNNVD-202203-068 // NVD: CVE-2021-44166 // NVD: CVE-2021-44166

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:Lack of information (CWE-noinfo) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-007703 // NVD: CVE-2021-44166

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202203-068

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202203-068

PATCH

title:FG-IR-21-210url:https://www.fortiguard.com/psirt/FG-IR-21-210

Trust: 0.8

title:Fortinet FortiToken Mobile Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=184390

Trust: 0.6

sources: JVNDB: JVNDB-2022-007703 // CNNVD: CNNVD-202203-068

EXTERNAL IDS

db:NVDid:CVE-2021-44166

Trust: 3.3

db:JVNDBid:JVNDB-2022-007703

Trust: 0.8

db:CS-HELPid:SB2022030205

Trust: 0.6

db:AUSCERTid:ESB-2022.0863

Trust: 0.6

db:CNNVDid:CNNVD-202203-068

Trust: 0.6

db:CNVDid:CNVD-2022-50951

Trust: 0.1

db:VULHUBid:VHN-406773

Trust: 0.1

sources: VULHUB: VHN-406773 // JVNDB: JVNDB-2022-007703 // CNNVD: CNNVD-202203-068 // NVD: CVE-2021-44166

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-21-210

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-44166

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2021-44166/

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022030205

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.0863

Trust: 0.6

sources: VULHUB: VHN-406773 // JVNDB: JVNDB-2022-007703 // CNNVD: CNNVD-202203-068 // NVD: CVE-2021-44166

SOURCES

db:VULHUBid:VHN-406773
db:JVNDBid:JVNDB-2022-007703
db:CNNVDid:CNNVD-202203-068
db:NVDid:CVE-2021-44166

LAST UPDATE DATE

2024-11-23T22:10:48.650000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-406773date:2022-03-11T00:00:00
db:JVNDBid:JVNDB-2022-007703date:2023-07-20T02:27:00
db:CNNVDid:CNNVD-202203-068date:2022-03-14T00:00:00
db:NVDid:CVE-2021-44166date:2024-11-21T06:30:29.077

SOURCES RELEASE DATE

db:VULHUBid:VHN-406773date:2022-03-02T00:00:00
db:JVNDBid:JVNDB-2022-007703date:2023-07-20T00:00:00
db:CNNVDid:CNNVD-202203-068date:2022-03-02T00:00:00
db:NVDid:CVE-2021-44166date:2022-03-02T10:15:07.750