First published: Tue Aug 03 2021(Updated: )
An instance of small space of random values in FortiSandbox RPC API may allow an attacker in possession of a few information pieces about the state of the device to possibly predict valid session IDs.
Credit: psirt@fortinet.com
Affected Software | Affected Version | How to fix |
---|---|---|
Fortinet FortiSandbox | <=3.1.4 | |
Fortinet FortiSandbox | >=3.2.0<3.2.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-26098 is a vulnerability in the RPC API of FortiSandbox before version 4.0.0 that allows an attacker to predict valid session IDs using a few pieces of information about the device's state.
CVE-2021-26098 has a severity rating of 7.5 (high).
CVE-2021-26098 affects FortiSandbox versions up to 3.1.4 and versions between 3.2.0 and 3.2.3.
An attacker exploiting CVE-2021-26098 can use a small space of random values to predict valid session IDs by knowing some information about the device's state.
The fix for CVE-2021-26098 is to upgrade to FortiSandbox version 4.0.0 or later.