FortiPortal - Use of a predictable salt and digest-based algorithm for password hashing
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-21-094
Final
1
1
2021-08-03T00:00:00
Current version
2021-08-03T00:00:00
2021-08-03T00:00:00
A use of one-way hash with a predictable salt (CWE-760) vulnerability in the password storing mechanism of FortiPortal may allow an attacker already in possession of the password store to decrypt the passwords by means of precomputed tables.
Information disclosure
FortiPortal 6.0.4 and below.
Upgrade to FortiPortal 6.0.5 or above.
Discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.
FortiPortal 6.0.4
FortiPortal 6.0.3
FortiPortal 6.0.2
FortiPortal 6.0.1
FortiPortal 6.0.0
FortiPortal - Use of a predictable salt and digest-based algorithm for password hashing
CVE-2021-32596
FortiPortal-6.0.4
FortiPortal-6.0.3
FortiPortal-6.0.2
FortiPortal-6.0.1
FortiPortal-6.0.0
5.5
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:W/RC:C
https://fortiguard.fortinet.com/psirt/FG-IR-21-094
FortiPortal - Use of a predictable salt and digest-based algorithm for password hashing
Reference>