{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-26091", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2021-01-25T14:47:15.092Z", "datePublished": "2025-03-24T15:37:58.370Z", "dateUpdated": "2025-03-31T18:11:58.179Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiMail", "cpes": ["cpe:2.3:a:fortinet:fortimail:6.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.2.9:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.2.*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "6.4.0", "lessThanOrEqual": "6.4.4", "status": "affected"}, {"versionType": "semver", "version": "6.2.0", "lessThanOrEqual": "6.2.9", "status": "affected"}, {"versionType": "semver", "version": "6.2.0", "lessThan": "6.2.*", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A use of a cryptographically weak pseudo-random number generator vulnerability in the authenticator of the Identity Based Encryption service of FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to infer parts of users authentication tokens and reset their credentials."}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2025-03-24T15:37:58.370Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-338", "description": "Improper Access Control", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C"}}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiMail version 7.0.0 or above\nPlease upgrade to FortiMail version 6.4.5 or above"}], "references": [{"name": "https://fortiguard.com/advisory/FG-IR-21-031", "url": "https://fortiguard.com/advisory/FG-IR-21-031"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-31T18:11:46.513539Z", "id": "CVE-2021-26091", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-31T18:11:58.179Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-26091", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-31T18:11:46.513539Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-31T18:11:52.931Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:2.3:a:fortinet:fortimail:6.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.2.9:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortimail:6.2.*:*:*:*:*:*:*:*"], "vendor": "Fortinet", "product": "FortiMail", "versions": [{"status": "affected", "version": "6.4.0", "versionType": "semver", "lessThanOrEqual": "6.4.4"}, {"status": "affected", "version": "6.2.0", "versionType": "semver", "lessThanOrEqual": "6.2.9"}, {"status": "affected", "version": "6.2.0", "lessThan": "6.2.*", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiMail version 7.0.0 or above\nPlease upgrade to FortiMail version 6.4.5 or above"}], "references": [{"url": "https://fortiguard.com/advisory/FG-IR-21-031", "name": "https://fortiguard.com/advisory/FG-IR-21-031"}], "descriptions": [{"lang": "en", "value": "A use of a cryptographically weak pseudo-random number generator vulnerability in the authenticator of the Identity Based Encryption service of FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to infer parts of users authentication tokens and reset their credentials."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-338", "description": "Improper Access Control"}]}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2025-03-24T15:37:58.370Z"}}}, "cveMetadata": {"cveId": "CVE-2021-26091", "state": "PUBLISHED", "dateUpdated": "2025-03-31T18:11:58.179Z", "dateReserved": "2021-01-25T14:47:15.092Z", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "datePublished": "2025-03-24T15:37:58.370Z", "assignerShortName": "fortinet"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortimail:*:*:*:*:*:*:*:*", "matchCriteriaId": "E6ECDB5E-50A7-4E63-9F38-A7C58EF06C3F", "versionEndExcluding": "6.4.5", "versionStartIncluding": "6.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A use of a cryptographically weak pseudo-random number generator vulnerability in the authenticator of the Identity Based Encryption service of FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to infer parts of users authentication tokens and reset their credentials."}, {"lang": "es", "value": "El uso de una vulnerabilidad de generador de n\u00fameros pseudoaleatorios criptogr\u00e1ficamente d\u00e9bil en el autenticador del servicio de cifrado basado en identidad de FortiMail 6.4.0 a 6.4.4 y 6.2.0 a 6.2.7 puede permitir que un atacante no autenticado infiera partes de los tokens de autenticaci\u00f3n de los usuarios y restablezca sus credenciales."}], "id": "CVE-2021-26091", "lastModified": "2025-07-23T15:53:04.907", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "psirt@fortinet.com", "type": "Secondary"}]}, "published": "2025-03-24T16:15:16.450", "references": [{"source": "psirt@fortinet.com", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/advisory/FG-IR-21-031"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-338"}], "source": "psirt@fortinet.com", "type": "Primary"}]}

{}