CVE-2021-24020
First published: Fri Jul 09 2021(Updated: )
A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to tamper with signed URLs by appending further data which allows bypass of signature verification.
Credit: psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiMail | >=6.2.0<=6.2.7 | |
| Fortinet FortiMail | >=6.4.0<6.4.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this FortiMail vulnerability?
The vulnerability ID for this FortiMail vulnerability is CVE-2021-24020.
What is the severity of CVE-2021-24020?
The severity of CVE-2021-24020 is critical with a severity value of 9.8.
Which versions of FortiMail are affected by CVE-2021-24020?
FortiMail versions 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 are affected by CVE-2021-24020.
What is the impact of CVE-2021-24020?
CVE-2021-24020 may allow an unauthenticated attacker to tamper with signed URLs by appending further data, which allows bypass of signature verification.
Is there a fix for CVE-2021-24020?
There is currently no fix available for CVE-2021-24020. It is recommended to follow the mitigation steps provided by Fortinet.
- collector/nvd-index
- agent/weakness
- agent/type
- agent/event
- agent/author
- agent/severity
- agent/references
- agent/tags
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/fortinet
- canonical/fortinet fortimail
- version/fortinet fortimail/6.2.0
- version/fortinet fortimail/6.2.7
- version/fortinet fortimail/6.4.0