Fortiauthenticator
CVE-2021-24005
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Usage of hard-coded cryptographic keys to encrypt configuration files and debug logs in FortiAuthenticator versions before 6.3.0 may allow an attacker with access to the files or the CLI configuration to decrypt the sensitive data, via knowledge of the hard-coded key.
AnalysisAI
Usage of hard-coded cryptographic keys to encrypt configuration files and debug logs in FortiAuthenticator versions before 6.3.0 may allow an attacker with access to the files or the CLI. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Use of Hard-coded Credentials (CWE-798), which allows attackers to gain access using credentials embedded in source code. Usage of hard-coded cryptographic keys to encrypt configuration files and debug logs in FortiAuthenticator versions before 6.3.0 may allow an attacker with access to the files or the CLI configuration to decrypt the sensitive data, via knowledge of the hard-coded key. Affected products include: Fortinet Fortiauthenticator. Version information: before 6.3.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Remove hard-coded credentials, use environment variables or secrets management, rotate exposed credentials immediately.
More in Fortiauthenticator
View allFortinet FortiAuthenticator 3.0.0 allows local users to bypass intended restrictions and gain privileges by creating /tm
FortiGuard FortiAuthenticator before 3.0 allows remote administrators to gain privileges via the command line interface.
Fortinet FortiAuthenticator 3.0.0 allows local users to read arbitrary files via the -f flag to the dig command. Rated m
Cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator 3.0.0 allows remote attackers to inject arbitrar
A improper authentication in Fortinet FortiAuthenticator version 6.4.0 allows user to bypass the second factor of authen
Fortinet FortiAuthenticator 3.0.0 has a password of (1) slony for the slony PostgreSQL user and (2) www-data for the www
Information disclosure in Fortinet FortiAuthenticator (6.5 all versions and 6.6.0–6.6.2) lets a remote unauthenticated a
An uncontrolled resource consumption (denial of service) vulnerability in the login modules of FortiSandbox 3.2.0 throug
FortiAuthenticator 6.3 through 6.6.6 allows read-only users to modify local user accounts by uploading files to an unpro
A exposure of sensitive information to an unauthorized actor in Fortinet FortiAuthenticator version 6.4.0, version 6.3.2
A URL redirection to untrusted site ('open redirect') in Fortinet FortiAuthenticator version 6.6.0, version 6.5.3 and be
A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 "CSRF valida
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today