CVE-2020-12812

Warnung

EPSS 45.38%
Veröffentlicht 24.07.2020 23:15:12
Zuletzt bearbeitet 24.02.2025 15:43:27
Quelle psirt@fortinet.com
Teams Watchlist Login
Unerledigt Login

An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.

Betroffene Produkte Warnungen 1 Metriken 4 CWE 2 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Fortinet ≫ Fortios Version < 6.0.10

Fortinet ≫ Fortios Version >= 6.2.0 < 6.2.4

Fortinet ≫ Fortios Version6.4.0

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Fortinet FortiOS SSL VPN Improper Authentication Vulnerability

Schwachstelle

Fortinet FortiOS SSL VPN contains an improper authentication vulnerability that may allow a user to login successfully without being prompted for the second factor of authentication (FortiToken) if they change the case in their username.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	45.38%	0.975

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-178 Improper Handling of Case Sensitivity

The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://fortiguard.com/psirt/FG-IR-19-283

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-12812

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-12812

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-12812

EUVD