CVE-2019-5591

A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.

CVSS v3 6.5 MEDIUM
CVSS v2.0 3.3 LOW

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

3.3^/10

CVSS v2.0 : LOW

Vector : AV:A/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 6.5 / Impact : 2.9

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://www.fortiguard.com/psirt/FG-IR-19-037	Mitigation Vendor Advisory
https://www.fortiguard.com/psirt/FG-IR-19-037	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*

History

21 Nov 2024, 04:45

Type	Values Removed	Values Added
References	~~() https://www.fortiguard.com/psirt/FG-IR-19-037 - Mitigation, Vendor Advisory~~	() https://www.fortiguard.com/psirt/FG-IR-19-037 - Mitigation, Vendor Advisory

24 Oct 2024, 13:55

Type	Values Removed	Values Added
References	~~() https://www.fortiguard.com/psirt/FG-IR-19-037 - Vendor Advisory~~	() https://www.fortiguard.com/psirt/FG-IR-19-037 - Mitigation, Vendor Advisory

Information

Published : 2020-08-14 16:15

Updated : 2025-02-06 16:07

NVD link : CVE-2019-5591

Mitre link : CVE-2019-5591

CVE.ORG link : CVE-2019-5591

JSON object : View

Products Affected

fortinet

fortios

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2019-5591", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.3, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2020-08-14T16:15:16.070", "references": [{"url": "https://www.fortiguard.com/psirt/FG-IR-19-037", "tags": ["Mitigation", "Vendor Advisory"], "source": "psirt@fortinet.com"}, {"url": "https://www.fortiguard.com/psirt/FG-IR-19-037", "tags": ["Mitigation", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server."}, {"lang": "es", "value": "Una vulnerabilidad de Configuraci\u00f3n Predeterminada en FortiOS puede permitir a un atacante no autenticado en la misma subred interceptar informaci\u00f3n confidencial al hacerse pasar por el servidor LDAP."}], "lastModified": "2025-02-06T16:07:11.657", "cisaActionDue": "2022-05-03", "cisaExploitAdd": "2021-11-03", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1023D06F-42D8-40DA-BEE0-A71397F58202", "versionEndIncluding": "6.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@fortinet.com", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Fortinet FortiOS Default Configuration Vulnerability"}