cvelist/2020/12xxx/CVE-2020-12820.json

94 lines
3.8 KiB
JSON
Raw Normal View History

2020-05-12 13:01:17 +00:00
{
2024-12-19 11:00:54 +00:00
"data_version": "4.0",
2020-05-12 13:01:17 +00:00
"data_type": "CVE",
"data_format": "MITRE",
"CVE_data_meta": {
"ID": "CVE-2020-12820",
2024-12-19 11:00:54 +00:00
"ASSIGNER": "psirt@fortinet.com",
"STATE": "PUBLIC"
2020-05-12 13:01:17 +00:00
},
"description": {
"description_data": [
{
"lang": "eng",
2024-12-19 11:00:54 +00:00
"value": "Under non-default configuration, a stack-based buffer overflow in FortiOS version 6.0.10 and below, version 5.6.12 and below may allow a remote attacker authenticated to the SSL VPN to crash the FortiClient NAC daemon (fcnacd) and potentially execute arbitrary code via requesting a large FortiClient file name. We are not aware of proof of concept code successfully achieving the latter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Execute unauthorized code or commands",
"cweId": "CWE-121"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Fortinet",
"product": {
"product_data": [
{
"product_name": "FortiOS",
"version": {
"version_data": [
{
"version_affected": "<=",
"version_name": "6.0.0",
"version_value": "6.0.10"
},
{
"version_affected": "<=",
"version_name": "5.6.0",
"version_value": "5.6.12"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-20-083",
"refsource": "MISC",
"name": "https://fortiguard.fortinet.com/psirt/FG-IR-20-083"
}
]
},
"solution": [
{
"lang": "en",
"value": "Please upgrade to FortiOS versions 5.6.13 or above.\r\nPlease upgrade to FortiOS versions 6.0.11 or above. \r\nFortiOS versions 6.2.0 and above are not impacted. \r\nFortiOS versions 6.4.0 and above are not impacted. \r\nWorkaround: \r\nPlease ensure that Fortiheartbeat and Endpoint-Compliance are not both enabled on the same interface. \r\nFortiHeartbeat and Endpoint-Compliance can be disabled on a particular interface by following the below CLI commands:\r\nconfig system interface\r\nedit interface\r\nset endpoint-compliance disable (<-- Disabled by default)\r\nset fortiheartbeat disable\r\nnext\r\nend"
}
],
"impact": {
"cvss": [
{
"version": "3.1",
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:U/RL:X/RC:X"
2020-05-12 13:01:17 +00:00
}
]
}
}