CVE-2021-24017: Access Control missing in P&O module assignment vulnerability
First published: Tue Sep 07 2021(Updated: )
An improper authentication in Fortinet FortiManager version 6.4.3 and below, 6.2.6 and below allows attacker to assign arbitrary Policy and Object modules via crafted requests to the request handler.
Credit: psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiManager | <6.2.7 | |
| Fortinet FortiManager | >=6.4.0<6.4.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID is CVE-2021-24017.
What is the affected software for this vulnerability?
The affected software is Fortinet FortiManager version 6.4.3 and below, 6.2.6 and below.
What is the severity of CVE-2021-24017?
The severity of CVE-2021-24017 is medium (4.3).
How does CVE-2021-24017 impact Fortinet FortiManager?
CVE-2021-24017 allows attackers to assign arbitrary Policy and Object modules via crafted requests to the request handler, which can lead to unauthorized access and potential misuse of the system.
Is there a fix available for CVE-2021-24017?
Yes, Fortinet has released patches to address this vulnerability. It is recommended to update to version 6.2.7 if using FortiManager 6.2.x or to version 6.4.5 if using FortiManager 6.4.x.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/weakness
- agent/last-modified-date
- collector/fortiguard-psirt-latest
- source/FortiGuard
- alias/CVE-2021-24017
- collector/fortiguard-psirt
- agent/references
- agent/severity
- agent/title
- agent/first-publish-date
- agent/tags
- agent/description
- agent/event
- vendor/fortinet
- canonical/fortinet fortimanager
- version/fortinet fortimanager/6.4.0