CVE-2021-24019

{"id": "CVE-2021-24019", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "psirt@fortinet.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2021-10-06T10:15:07.713", "references": [{"url": "https://fortiguard.com/advisory/FG-IR-20-072", "tags": ["Vendor Advisory"], "source": "psirt@fortinet.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS versions 6.4.2 and below, 6.2.8 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks)"}, {"lang": "es", "value": "Una vulnerabilidad de caducidad de sesi\u00f3n insuficiente [CWE- 613] en FortiClientEMS versiones 6.4.2 y por debajo, versiones 6.2.8 y por debajo, puede permitir a un atacante reusar los ID de sesi\u00f3n del usuario administrador no caducados para obtener privilegios de administrador, si el atacante es capaz de obtener ese ID de sesi\u00f3n (por medio de otros ataques hipot\u00e9ticos)"}], "lastModified": "2021-10-14T14:39:13.373", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:forticlient_endpoint_management_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6B4FE62C-CA07-438F-AB71-EC8B67F8954B", "versionEndExcluding": "6.2.9"}, {"criteria": "cpe:2.3:a:fortinet:forticlient_endpoint_management_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7082B032-189E-402E-9417-953C1B210234", "versionEndExcluding": "6.4.2", "versionStartIncluding": "6.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@fortinet.com"}