CVE-2021-43074

Name of the Vulnerable Software and Affected Versions FortiWeb versions 6.4 through 6.4, 6.3.16 and below, 6.2, 6.1, 6.0 FortiOS versions 7.0.3 and below, 6.4.8 and below, 6.2, 6.0 FortiSwitch versions 7.0.3 and below, 6.4.10 and below, 6.2, 6.0 FortiProxy versions 7.0.1 and below, 2.0.7 and below, 1.2, 1.1, 1.0

Description The issue is related to an improper verification of cryptographic signature, which may allow an attacker to decrypt portions of the administrative session management cookie if they can intercept it. This could potentially reveal protected information. The vulnerability can be exploited remotely.

Recommendations For FortiWeb versions 6.4 through 6.4, 6.3.16 and below, 6.2, 6.1, 6.0, update to a version that includes the fix for this issue. For FortiOS versions 7.0.3 and below, 6.4.8 and below, 6.2, 6.0, update to a version that includes the fix for this issue. For FortiSwitch versions 7.0.3 and below, 6.4.10 and below, 6.2, 6.0, update to a version that includes the fix for this issue. For FortiProxy versions 7.0.1 and below, 2.0.7 and below, 1.2, 1.1, 1.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the administrative session management cookie to minimize the risk of exploitation.