=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN521
_____________________________________________________________________

DATE                : 06/10/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running FortiSDNConnector versions prior to
                                      1.1.8.

=====================================================================
https://www.fortiguard.com/psirt/FG-IR-20-183
_____________________________________________________________________

FortiSDNConnector - Credential leak

IR Number    : FG-IR-20-183
Date         : Oct 5, 2021
Risk         : 3/5
CVSSv3 Score : 4.2
Impact       : Information disclosure
CVE ID       : CVE-2021-36178
Affected Products: FortiSDNConnector: 1.1.7, 1.1.6, 1.1.5, 1.1.4, 1.1.3,
1.1.2, 1.1.1, 1.1.0, 1.0.0


Summary

An insufficiently protected credentials vulnerability [CWE-522] in
FortiSDNConnector may allow an authenticated user to obtain third party
device credentials via visiting the configuration page in the WebUI.


Affected Products

FortiSDNConnector version 1.1.7 or below


Solutions

Upgrade to FortiSDNConnector version 1.1.8 or above.


Acknowledgement

Internally discovered and reported by Luca Pizziniaco of the Fortinet
TAC team


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================