Random Value Predictability in FortiSandbox RPC API by Fortinet
CVE-2021-26098

5.3MEDIUM

Key Information:

Vendor: Fortinet
Status: Fortinet Fortisandbox
Vendor: CVE Published:; 4 August 2021

What is CVE-2021-26098?

The RPC API of FortiSandbox versions prior to 4.0.0 contains a vulnerability that allows an attacker with limited knowledge about the device to potentially predict valid session IDs. This security issue stems from a small space of random values that can be exploited, enabling unauthorized access to sessions. It is crucial for users to implement security measures to mitigate the risks associated with this vulnerability.

Affected Version(s)

Fortinet FortiSandbox FortiSandbox before 4.0.0

References

https://fortiguard.com/advisory/FG-IR-20-218

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 4, 2021
Vulnerability Reserved
Jan 25, 2021