CVE-2020-6644

{"id": "CVE-2020-6644", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2020-06-22T16:15:12.057", "references": [{"url": "https://fortiguard.com/advisory/FG-IR-20-006", "tags": ["Vendor Advisory"], "source": "psirt@fortinet.com"}, {"url": "https://fortiguard.com/advisory/FG-IR-20-006", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "An insufficient session expiration vulnerability in FortiDeceptor 3.0.0 and below allows an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID via other, hypothetical attacks."}, {"lang": "es", "value": "Una vulnerabilidad de expiraci\u00f3n de sesi\u00f3n insuficiente en FortiDeceptor versiones 3.0.0 y posteriores, permite a un atacante reutilizar los ID de sesi\u00f3n de usuario administrador no vencidos para obtener privilegios de administrador, en caso de que el atacante sea capaz de obtener ese ID de sesi\u00f3n por medio de otros ataques hipot\u00e9ticos"}], "lastModified": "2024-11-21T05:36:05.197", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortideceptor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "38626EDB-2E43-43BE-923E-2601C4A6C098", "versionEndIncluding": "3.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@fortinet.com"}