Details of VAR-202203-0907

ID

VAR-202203-0907

CVE

CVE-2022-22300

TITLE

Fortinet FortiAnalyzer and FortiManager Fraud related to unauthorized authentication in

Trust: 0.8

sources: JVNDB: JVNDB-2022-007383

DESCRIPTION

A improper handling of insufficient permissions or privileges in Fortinet FortiAnalyzer version 5.6.0 through 5.6.11, FortiAnalyzer version 6.0.0 through 6.0.11, FortiAnalyzer version 6.2.0 through 6.2.9, FortiAnalyzer version 6.4.0 through 6.4.7, FortiAnalyzer version 7.0.0 through 7 .0.2, FortiManager version 5.6.0 through 5.6.11, FortiManager version 6.0.0 through 6.0.11, FortiManager version 6.2.0 through 6.2.9, FortiManager version 6.4.0 through 6.4.7, FortiManager version 7.0.0 through 7.0.2 allows attacker to bypass the device policy and force the password-change action for its user. Fortinet FortiAnalyzer and FortiManager Exists in a fraudulent authentication vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet FortiAnalyzer is a centralized network security reporting solution from Fortinet. This product is mainly used to collect network log data, and analyze, report, and archive the security events, network traffic, and Web content in the logs through the report suite. Fortinet FortiAnalyzer has an access control error vulnerability, which is caused by network systems or products that do not properly restrict resource access from unauthorized roles. Attackers could exploit this vulnerability to bypass device policies and force their users to perform password changes

Trust: 1.8

sources: NVD: CVE-2022-22300 // JVNDB: JVNDB-2022-007383 // VULHUB: VHN-410854 // VULMON: CVE-2022-22300

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortianalyzer	scope:	lt	version:	7.0.3	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	lte	version:	6.0.11	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	gte	version:	5.6.0	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	lte	version:	6.2.9	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	gte	version:	5.6.0	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	lte	version:	5.6.11	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	lte	version:	6.2.9	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	gte	version:	6.2.0	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	lte	version:	5.6.11	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	gte	version:	7.0.0	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	gte	version:	6.2.0	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	gte	version:	7.0.0	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	gte	version:	6.4.0	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	lte	version:	6.4.7	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	gte	version:	6.4.0	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	lte	version:	6.4.7	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	lte	version:	6.0.11	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	lt	version:	7.0.3	Trust: 1.0
vendor:	フォーティネット	model:	fortimanager	scope:	eq	version:	7.0.0 to 7.0.2	Trust: 0.8
vendor:	フォーティネット	model:	fortianalyzer	scope:	-	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortimanager	scope:	eq	version:	5.6.0 to 5.6.11	Trust: 0.8
vendor:	フォーティネット	model:	fortimanager	scope:	eq	version:	6.2.0 to 6.2.9	Trust: 0.8
vendor:	フォーティネット	model:	fortimanager	scope:	eq	version:	6.4.0 to 6.4.7	Trust: 0.8
vendor:	フォーティネット	model:	fortimanager	scope:	eq	version:	6.0.0 to 6.0.11	Trust: 0.8

sources: JVNDB: JVNDB-2022-007383 // NVD: CVE-2022-22300

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-22300
value:	HIGH
Trust: 1.0
psirt@fortinet.com:	CVE-2022-22300
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2022-22300
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202203-033
value:	HIGH
Trust: 0.6
VULHUB:	VHN-410854
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2022-22300
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-22300
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-410854
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-22300
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
psirt@fortinet.com:	CVE-2022-22300
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2022-22300
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-410854 // VULMON: CVE-2022-22300 // JVNDB: JVNDB-2022-007383 // CNNVD: CNNVD-202203-033 // NVD: CVE-2022-22300 // NVD: CVE-2022-22300

PROBLEMTYPE DATA

problemtype:	CWE-755	Trust: 1.0
problemtype:	Illegal authentication (CWE-863) [NVD evaluation ]	Trust: 0.8
problemtype:	CWE-863	Trust: 0.1

sources: VULHUB: VHN-410854 // JVNDB: JVNDB-2022-007383 // NVD: CVE-2022-22300

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202203-033

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-202203-033

PATCH

title:	FG-IR-21-255	url:	https://fortiguard.com/psirt/FG-IR-21-255	Trust: 0.8
title:	Fortinet FortiAnalyzer Fixes for permissions and access control issues vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=184273	Trust: 0.6
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-23305	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-RCE	Trust: 0.1

sources: VULMON: CVE-2022-22300 // JVNDB: JVNDB-2022-007383 // CNNVD: CNNVD-202203-033

EXTERNAL IDS

db:	NVD	id:	CVE-2022-22300	Trust: 3.4
db:	JVNDB	id:	JVNDB-2022-007383	Trust: 0.8
db:	AUSCERT	id:	ESB-2022.0857	Trust: 0.6
db:	CS-HELP	id:	SB2022030127	Trust: 0.6
db:	CNNVD	id:	CNNVD-202203-033	Trust: 0.6
db:	CNVD	id:	CNVD-2022-18533	Trust: 0.1
db:	VULHUB	id:	VHN-410854	Trust: 0.1
db:	VULMON	id:	CVE-2022-22300	Trust: 0.1

sources: VULHUB: VHN-410854 // VULMON: CVE-2022-22300 // JVNDB: JVNDB-2022-007383 // CNNVD: CNNVD-202203-033 // NVD: CVE-2022-22300

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-21-255	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-22300	Trust: 0.8
url:	https://vigilance.fr/vulnerability/fortianalyzer-fortimanager-denial-of-service-via-password-change-action-37683	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-22300/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.0857	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022030127	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/755.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/alphabugx/cve-2022-23305	Trust: 0.1

sources: VULHUB: VHN-410854 // VULMON: CVE-2022-22300 // JVNDB: JVNDB-2022-007383 // CNNVD: CNNVD-202203-033 // NVD: CVE-2022-22300

SOURCES

db:	VULHUB	id:	VHN-410854
db:	VULMON	id:	CVE-2022-22300
db:	JVNDB	id:	JVNDB-2022-007383
db:	CNNVD	id:	CNNVD-202203-033
db:	NVD	id:	CVE-2022-22300

LAST UPDATE DATE

2024-08-14T14:18:03.584000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-410854	date:	2022-03-09T00:00:00
db:	VULMON	id:	CVE-2022-22300	date:	2023-08-08T00:00:00
db:	JVNDB	id:	JVNDB-2022-007383	date:	2023-07-14T02:37:00
db:	CNNVD	id:	CNNVD-202203-033	date:	2022-03-10T00:00:00
db:	NVD	id:	CVE-2022-22300	date:	2023-08-08T14:21:49.707

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-410854	date:	2022-03-01T00:00:00
db:	VULMON	id:	CVE-2022-22300	date:	2022-03-01T00:00:00
db:	JVNDB	id:	JVNDB-2022-007383	date:	2023-07-14T00:00:00
db:	CNNVD	id:	CNNVD-202203-033	date:	2022-03-01T00:00:00
db:	NVD	id:	CVE-2022-22300	date:	2022-03-01T19:15:08.590