Improper Certificate Validation in Fortinet's FortiToken on Android, iOS, and Windows
CVE-2021-22131

6.4MEDIUM

Key Information:

Vendor: Fortinet
Status: Fortinet Fortitokenandroid, Fortinet FortitokeniOS, Fortinet Fortitokenwinapp
Vendor: CVE Published:; 18 July 2022

What is CVE-2021-22131?

The vulnerability in Fortinet's FortiToken applications on Android, iOS, and Windows results from improper validation of certificates, where mismatches between the certificates and the host can occur. This flaw allows attackers to potentially execute man-in-the-middle attacks, enabling them to intercept and disclose sensitive information from the affected applications. Users are strongly advised to update to the latest versions of the FortiToken software to mitigate this risk.

Affected Version(s)

Fortinet FortiTokenAndroid, Fortinet FortiTokeniOS, Fortinet FortiTokenWinApp FortiTokenAndroid 5.0.3, 5.0.2, 4.5.0, 4.4.0, 4.3.0, 4.2.2, 4.2.1, 4.1.1, 4.0.1, 4.0.0, 3.0.4, 3.0.3, 3.0.2, 3.0.1, 3.0.0, 0.4.20, 0.4.10, FortiTokeniOS 5.2.0, 4.3.0, 4.2.0, 4.1.1, 3.0.5, 3.0.4, 3.0.3, 3.0.2, 3.0.1, FortiTokenWinApp 4.0.3, 3.0.1, 3.0.0

References

https://fortiguard.com/advisory/FG-IR-21-024

x_refsource_CONFIRM

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 18, 2022
Vulnerability Reserved
Jan 4, 2021

CVE-2021-22131 Data

JSON