Multiple vulnerabilities in the authentication mechanism of confd Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-21-130 Final 1 1 2021-12-07T00:00:00 Current version 2021-12-07T00:00:00 2021-12-07T00:00:00 Multiple vulnerabilities in the authentication mechanism of FortiWeb's confd, including an instance of concurrent execution using shared resource with improper synchronization [CWE-362] and one of authentication bypass by capture-replay [CWE-294], may allow a remote unauthenticated attacker to circumvent the authentication process and authenticate as a legitimate cluster peer. None Improper access control FortiWeb versions 6.4.1 and below.FortiWeb versions 6.3.15 and below.FortiWeb versions 6.2.6 and below.FortiWeb versions 6.1.2 and below.FortiWeb versions 6.3.15 and below.FortiWeb versions 6.0.7 and below.FortiADC versions 7.0.2 and below.FortiADC versions 6.2.4 and below.FortiADC 6.1, 6.0, 5.4, 5.3, 5.2,5.1,5.0 all versions Please upgrade to FortiWeb 7.0.0 or above.Please upgrade to FortiWeb 6.4.2 or above.Please upgrade to FortiWeb 6.3.16 or above.Please upgrade to FortiADC version 7.1.0 or abovePlease upgrade to FortiADC version 7.0.3 or abovePlease upgrade to FortiADC version 6.2.5 or above Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team. CVE-2021-41025 6.9 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:U/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-21-130 Multiple vulnerabilities in the authentication mechanism of confd Reference>