CVE-2020-12812

Warnung

Medienbericht

EPSS 47.04%
Veröffentlicht 24.07.2020 23:15:12
Zuletzt bearbeitet 24.10.2025 12:53:49
Quelle psirt@fortinet.com
CVE-Watchlists
Login
Unerledigt
Login

An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.

Betroffene Produkte Warnungen 1 Metriken 4 CWE 2 Referenzen 6

NVD 3 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Fortinet ≫ FortiOS Version < 6.0.10

Fortinet ≫ FortiOS Version >= 6.2.0 < 6.2.4

Fortinet ≫ FortiOS Version6.4.0

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Fortinet FortiOS SSL VPN Improper Authentication Vulnerability

Schwachstelle

Fortinet FortiOS SSL VPN contains an improper authentication vulnerability that may allow a user to login successfully without being prompted for the second factor of authentication (FortiToken) if they change the case in their username.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	47.04%	0.977

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-178 Improper Handling of Case Sensitivity

The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://www.heise.de/news/Jetzt-patchen-Attacken-auf-Adobe-ColdFusion-und-Fortinet-Firewalls-beobachtet-11128770.html

Media Report

https://fortiguard.com/psirt/FG-IR-19-283

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-12812

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2020-12812

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-12812

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-12812

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2020-12812

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog