Padding oracle in cookie encryption Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-21-126 Final 1 1 2023-02-16T00:00:00 Current version 2023-02-16T00:00:00 2023-02-16T00:00:00 An improper verification of cryptographic signature vulnerability [CWE-347] in FortiOS, FortiWeb, FortiProxy and FortiSwitch may allow an attacker to decrypt portions of the administrative session management cookie if able to intercept the latter. None Information disclosure FortiOS versions 7.0.3 and below.FortiOS versions 6.4.8 and below,FortiOS 6.2 all versionsFortiOS 6.0 all versionsFortiWeb 6.4 all versionsFortiWeb versions 6.3.16 and below,FortiWeb 6.2 all versionsFortiWeb 6.1 all versionsFortiWeb 6.0 all versionsFortiProxy versions 7.0.1 and below,FortiProxy versions 2.0.7 and below,FortiProxy 1.2 all versionsFortiProxy 1.1 all versionsFortiProxy 1.0 all versionsFortiSwitch versions 7.0.3 and below,FortiSwitch versions 6.4.10 and below,FortiSwitch 6.2 all versionsFortiSwitch 6.0 all versions Upgrade to FortiOS version 7.0.4 or above.Upgrade to FortiOS version 6.4.9 or above.Upgrade to FortiWeb version 7.0.0 or above.upgrade to FortiWeb version 6.3.17 or above.Upgrade to FortiProxy version 7.0.2 or above.Upgrade to FortiProxy version 2.0.8 or above.Upgrade to FortiSwitch version 7.2.0 or above.Upgrade to FortiSwitch version 7.0.4 or above.Upgrade to FortiSwitch version 6.4.11 or above. Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team. CVE-2021-43074 4.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:U/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-21-126 Padding oracle in cookie encryption Reference>