Missing certificate CN/SAN validation leads to information disclosure Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-21-074 Final 1 1 2021-11-02T00:00:00 Current version 2021-11-02T00:00:00 2021-11-02T00:00:00 An improper validation of certificate with host mismatch [CWE-297] vulnerability in FortiOS may allow the connection to a malicious LDAP server via options in GUI, leading to disclosure of sensitive information, such as AD credentials. Information disclosure FortiGate version 7.0.1 and below.FortiGate version 6.4.6 and below.FortiGate version 6.2.9 and below. Please upgrade to FortiGate version 7.0.2 or above.Please upgrade to FortiGate version 6.4.7 or above.Please upgrade to FortiGate version 6.2.10 or above. Fortinet is pleased to thank John Headley from VPLS for reporting this vulnerability under responsible disclosure. CVE-2021-41019 3.2 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-21-074 Missing certificate CN/SAN validation leads to information disclosure Reference>