A missing critical step in authentication vulnerability [CWE-304] in Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.10, and before 7.0.16 & FortiProxy version 7.6.0 through 7.6.1, 7.4.0 through 7.4.8, 7.2.0 through 7.2.13 and before 7.0.20 allows an API-user using api-key + PKI user certificate authentication to login even if the certificate is invalid.
The product implements an authentication technique, but it skips a step that weakens the technique.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Fortiproxy | Fortinet | 7.0.0 (including) | 7.0.21 (excluding) |
Fortiproxy | Fortinet | 7.2.0 (including) | 7.2.14 (excluding) |
Fortiproxy | Fortinet | 7.4.0 (including) | 7.4.9 (excluding) |
Fortiproxy | Fortinet | 7.6.0 (including) | 7.6.2 (excluding) |
Fortios | Fortinet | 7.0.1 (including) | 7.0.17 (excluding) |
Fortios | Fortinet | 7.2.0 (including) | 7.2.11 (excluding) |
Fortios | Fortinet | 7.4.0 (including) | 7.4.6 (excluding) |
Fortios | Fortinet | 7.6.0 (including) | 7.6.0 (including) |
Fortios | Fortinet | 7.6.1 (including) | 7.6.1 (including) |