CVE-2021-24008: Unauthenticated user can determine software-version information
First published: Tue Nov 03 2020(Updated: )
An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiDDoS version 5.4.0, version 5.3.2 and below, version 5.2.0, version 5.1.0, version 5.0.0, version 4.7.0, version 4.6.0, version 4.5.0, version 4.4.2 and below, FortiDDoS-CM version 5.3.0, version 5.2.0, version 5.1.0, version 5.0.0, version 4.7.0, FortiVoice version 6.0.6 and below, FortiRecorder version 6.0.3 and below and FortiMail version 6.4.1 and below, version 6.2.4 and below, version 6.0.9 and below may allow a remote, unauthenticated attacker to obtain potentially sensitive software-version information by reading a JavaScript file.
Credit: psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiDDoS-F | =5.4.0<5.3.2=5.2.0=5.1.0=5.0.0=4.7.0=4.6.0=4.5.0<4.4.2 | |
| Fortinet FortiDDoS-CM | =5.3.0=5.2.0=5.1.0=5.0.0=4.7.0 | |
| Fortinet FortiVoice Enterprise | <6.0.6 | |
| Fortinet FortiRecorder 400D | <6.0.3 | |
| Fortinet Fortimail-200d | <6.4.1<6.2.4<6.0.9 |
Remedy
Please upgrade to FortiMail versions 6.0.10 or above. Please upgrade to FortiMail versions 6.2.5 or above. Please upgrade to FortiMail versions 6.4.2 or above.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-24008?
CVE-2021-24008 is classified as a medium severity vulnerability due to the exposure of sensitive system information.
How do I fix CVE-2021-24008?
To mitigate CVE-2021-24008, upgrade your FortiDDoS system to version 5.4.1 or later, or apply the necessary patches provided by Fortinet.
What systems are affected by CVE-2021-24008?
CVE-2021-24008 affects FortiDDoS versions up to 5.4.0, including 5.3.2 and earlier, as well as FortiDDoS-CM versions up to 5.3.0.
What type of vulnerability is CVE-2021-24008?
CVE-2021-24008 is classified as an exposure of sensitive system information to an unauthorized control sphere vulnerability.
Is CVE-2021-24008 being actively exploited?
As of now, there are no reported active exploits for CVE-2021-24008, but it is advisable to remediate it promptly.
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/weakness
- agent/type
- agent/author
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- collector/fortiguard-psirt
- source/FortiGuard
- alias/CVE-2020-15933
- alias/CVE-2021-24008
- agent/title
- agent/severity
- agent/source
- agent/references
- agent/first-publish-date
- agent/description
- agent/event
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- vendor/fortinet
- canonical/fortinet fortiddos-f
- canonical/fortinet fortiddos-cm
- canonical/fortinet fortivoice enterprise
- canonical/fortinet fortirecorder 400d
- canonical/fortinet fortimail-200d