Sign-up

ID

VAR-202206-0574


CVE

CVE-2021-22131


TITLE

plural  Fortinet FortiToken  Vulnerability related to certificate validation in products

Trust: 0.8

sources: JVNDB: JVNDB-2022-015435

DESCRIPTION

A improper validation of certificate with host mismatch in Fortinet FortiTokenAndroid version 5.0.3 and below, Fortinet FortiTokeniOS version 5.2.0 and below, Fortinet FortiTokenWinApp version 4.0.3 and below allows attacker to retrieve information disclosed via man-in-the-middle attacks. Fortinet FortiTokenAndroid , Fortinet FortiTokeniOS , Fortinet FortiTokenWinApp Exists in a certificate validation vulnerability.Information may be obtained and information may be tampered with. Fortinet FortiToken Mobile is an Oath-compliant, event-based, and time-based one-time password (Otp) generator application from Fortinet, Inc., USA. Fortinet FortiToken Mobile has a security vulnerability that stems from improper certificate validation. A remote attacker could exploit this vulnerability to perform a MitM attack. The following products and versions are affected: FortiToken Mobile for Android versions 0.4.10 to 5.0.3, FortiToken Mobile for iOS versions 3.0.1 to 5.2.0, FortiToken Mobile for Windows versions 3.0.0 to 4.1.1

Trust: 1.71

sources: NVD: CVE-2021-22131 // JVNDB: JVNDB-2022-015435 // VULHUB: VHN-380540

AFFECTED PRODUCTS

vendor:fortinetmodel:fortitoken mobilescope:eqversion:4.1.1

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:4.5.0

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:0.4.20

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:0.4.10

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:4.2.1

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:3.0.2

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:4.0.3

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:5.0.2

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:3.0.1

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:4.0.1

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:4.2.0

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:5.0.3

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:3.0.0

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:3.0.4

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:4.3.0

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:5.2.0

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:4.0.0

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:4.2.2

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:3.0.3

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:3.0.5

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:4.4.0

Trust: 1.0

vendor:fortinetmodel:fortitoken mobilescope:eqversion:4.1.0

Trust: 1.0

vendor:フォーティネットmodel:fortitoken mobilescope:eqversion: -

Trust: 0.8

vendor:フォーティネットmodel:fortitoken mobilescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-015435 // NVD: CVE-2021-22131

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-22131
value: MEDIUM

Trust: 1.0

psirt@fortinet.com: CVE-2021-22131
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-22131
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202206-772
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2021-22131
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
attackVector: ADJACENT
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.2
impactScore: 4.2
version: 3.1

Trust: 1.0

psirt@fortinet.com: CVE-2021-22131
baseSeverity: MEDIUM
baseScore: 6.4
vectorString: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H
attackVector: ADJACENT
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.2
version: 3.1

Trust: 1.0

NVD: CVE-2021-22131
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
attackVector: ADJACENT NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-015435 // CNNVD: CNNVD-202206-772 // NVD: CVE-2021-22131 // NVD: CVE-2021-22131

PROBLEMTYPE DATA

problemtype:CWE-295

Trust: 1.1

problemtype:Illegal certificate verification (CWE-295) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-380540 // JVNDB: JVNDB-2022-015435 // NVD: CVE-2021-22131

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202206-772

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202206-772

PATCH

title:FG-IR-21-024url:https://www.fortiguard.com/psirt/FG-IR-21-024

Trust: 0.8

title:Fortinet FortiToken Mobile Repair measures for trust management problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=201336

Trust: 0.6

sources: JVNDB: JVNDB-2022-015435 // CNNVD: CNNVD-202206-772

EXTERNAL IDS

db:NVDid:CVE-2021-22131

Trust: 3.3

db:JVNDBid:JVNDB-2022-015435

Trust: 0.8

db:CNNVDid:CNNVD-202206-772

Trust: 0.7

db:CS-HELPid:SB2022060804

Trust: 0.6

db:VULHUBid:VHN-380540

Trust: 0.1

sources: VULHUB: VHN-380540 // JVNDB: JVNDB-2022-015435 // CNNVD: CNNVD-202206-772 // NVD: CVE-2021-22131

REFERENCES

url:https://fortiguard.com/advisory/fg-ir-21-024

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-22131

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2022060804

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2021-22131/

Trust: 0.6

sources: VULHUB: VHN-380540 // JVNDB: JVNDB-2022-015435 // CNNVD: CNNVD-202206-772 // NVD: CVE-2021-22131

SOURCES

db:VULHUBid:VHN-380540
db:JVNDBid:JVNDB-2022-015435
db:CNNVDid:CNNVD-202206-772
db:NVDid:CVE-2021-22131

LAST UPDATE DATE

2024-08-14T15:16:40.698000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-380540date:2022-07-25T00:00:00
db:JVNDBid:JVNDB-2022-015435date:2023-09-27T03:29:00
db:CNNVDid:CNNVD-202206-772date:2022-07-29T00:00:00
db:NVDid:CVE-2021-22131date:2022-07-25T15:12:27.933

SOURCES RELEASE DATE

db:VULHUBid:VHN-380540date:2022-07-18T00:00:00
db:JVNDBid:JVNDB-2022-015435date:2023-09-27T00:00:00
db:CNNVDid:CNNVD-202206-772date:2022-06-08T00:00:00
db:NVDid:CVE-2021-22131date:2022-07-18T18:15:08.620