{"containers": {"cna": {"affected": [{"product": "Fortinet FortiMail", "vendor": "Fortinet", "versions": [{"status": "affected", "version": "FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7"}]}], "descriptions": [{"lang": "en", "value": "A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to tamper with signed URLs by appending further data which allows bypass of signature verification."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Improper Access Control", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-07-09T18:17:26.000Z", "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://fortiguard.com/advisory/FG-IR-21-027"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@fortinet.com", "ID": "CVE-2021-24020", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Fortinet FortiMail", "version": {"version_data": [{"version_value": "FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7"}]}}]}, "vendor_name": "Fortinet"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to tamper with signed URLs by appending further data which allows bypass of signature verification."}]}, "impact": {"cvss": {"attackComplexity": "High", "attackVector": "Network", "availabilityImpact": "High", "baseScore": 6.9, "baseSeverity": "Medium", "confidentialityImpact": "High", "integrityImpact": "High", "privilegesRequired": "Low", "scope": "Unchanged", "userInteraction": "None", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "https://fortiguard.com/advisory/FG-IR-21-027", "refsource": "CONFIRM", "url": "https://fortiguard.com/advisory/FG-IR-21-027"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:14:10.061Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://fortiguard.com/advisory/FG-IR-21-027"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-23T14:13:45.573210Z", "id": "CVE-2021-24020", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-25T13:57:25.857Z"}}]}, "cveMetadata": {"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "assignerShortName": "fortinet", "cveId": "CVE-2021-24020", "datePublished": "2021-07-09T18:17:26.000Z", "dateReserved": "2021-01-13T00:00:00.000Z", "dateUpdated": "2024-10-25T13:57:25.857Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://fortiguard.com/advisory/FG-IR-21-027", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:14:10.061Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-24020", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-23T14:13:45.573210Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-23T14:17:27.749Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Fortinet", "product": "Fortinet FortiMail", "versions": [{"status": "affected", "version": "FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7"}]}], "references": [{"url": "https://fortiguard.com/advisory/FG-IR-21-027", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to tamper with signed URLs by appending further data which allows bypass of signature verification."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Improper Access Control"}]}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2021-07-09T18:17:26.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "Unchanged", "version": "3.1", "baseScore": 6.9, "attackVector": "Network", "baseSeverity": "Medium", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "High", "userInteraction": "None", "attackComplexity": "High", "availabilityImpact": "High", "privilegesRequired": "Low", "confidentialityImpact": "High"}}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7"}]}, "product_name": "Fortinet FortiMail"}]}, "vendor_name": "Fortinet"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://fortiguard.com/advisory/FG-IR-21-027", "name": "https://fortiguard.com/advisory/FG-IR-21-027", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to tamper with signed URLs by appending further data which allows bypass of signature verification."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Access Control"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-24020", "STATE": "PUBLIC", "ASSIGNER": "psirt@fortinet.com"}}}}, "cveMetadata": {"cveId": "CVE-2021-24020", "state": "PUBLISHED", "dateUpdated": "2024-10-25T13:57:25.857Z", "dateReserved": "2021-01-13T00:00:00.000Z", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "datePublished": "2021-07-09T18:17:26.000Z", "assignerShortName": "fortinet"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortimail:*:*:*:*:*:*:*:*", "matchCriteriaId": "72F6AEF1-C5BF-4A9A-A843-A152AA168085", "versionEndIncluding": "6.2.7", "versionStartIncluding": "6.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortimail:*:*:*:*:*:*:*:*", "matchCriteriaId": "5DAB4EFB-D73F-4FC5-8FE7-278BADB9F78E", "versionEndExcluding": "6.4.5", "versionStartIncluding": "6.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to tamper with signed URLs by appending further data which allows bypass of signature verification."}, {"lang": "es", "value": "Una falta de paso criptogr\u00e1fico en la implementaci\u00f3n del algoritmo hash digest en FortiMail versiones 6.4.0 hasta 6.4.4, y versiones 6.2.0 hasta 6.2.7, puede permitir a un atacante no autenticado manipular las URLs firmadas al a\u00f1adir m\u00e1s datos que permitan omitir la comprobaci\u00f3n de la firma"}], "id": "CVE-2021-24020", "lastModified": "2024-11-21T05:52:13.380", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "psirt@fortinet.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-07-09T19:15:08.197", "references": [{"source": "psirt@fortinet.com", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/advisory/FG-IR-21-027"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/advisory/FG-IR-21-027"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}