CVE-2021-32591

A missing cryptographic steps vulnerability in the function that encrypts users' LDAP and RADIUS credentials in FortiSandbox before 4.0.1, FortiWeb before 6.3.12, FortiADC before 6.2.1, FortiMail 7.0.1 and earlier may allow an attacker in possession of the password store to compromise the confidentiality of the encrypted secrets.

Published: Dec 8, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-32591
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 2.6
AV:N/AC:H/Au:N/C:P/I:N/A:N

CWEs:

CWE-327

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
fortinet / fortimail	6.2.0	6.2.7.x
fortinet / fortisandbox	3.2.0	3.2.2.x
fortinet / fortiadc	5.0.0	5.4.4.x
fortinet / fortiweb	5.9.0	5.9.0.x
fortinet / fortiweb	5.9.1	5.9.1.x
fortinet / fortiweb	6.0.0	6.0.7.x
fortinet / fortimail	7.0.1	7.0.1.x
fortinet / fortimail	-	-
fortinet / fortiadc	6.2.0	6.2.0.x
fortinet / fortisandbox	4.0.0	4.0.0.x
fortinet / fortiweb	6.3.0	6.3.11.x
fortinet / fortiweb	6.2.0	6.2.4.x
fortinet / fortiweb	5.8.0	5.8.7.x
fortinet / fortiweb	5.7.0	5.7.3.x
fortinet / fortiadc	6.2.1	6.2.1.x
fortinet / fortiadc	6.0.0	6.0.3.x
fortinet / fortimail	7.0.0	7.0.0.x
fortinet / fortimail	6.4.0	6.4.5.x
fortinet / fortimail	6.0.0	6.0.11.x
fortinet / fortimail	5.0	5.6.3.x
fortinet / fortiadc	6.1.0	6.1.3.x
fortinet / fortiweb	6.1.0	6.1.2.x

https://fortiguard.com/advisory/FG-IR-20-222

Vulnerability Database

289,697

CVE-2021-32591