ID

VAR-202203-0907


CVE

CVE-2022-22300


TITLE

Fortinet FortiAnalyzer  and  FortiManager  Fraud related to unauthorized authentication in

Trust: 0.8

sources: JVNDB: JVNDB-2022-007383

DESCRIPTION

A improper handling of insufficient permissions or privileges in Fortinet FortiAnalyzer version 5.6.0 through 5.6.11, FortiAnalyzer version 6.0.0 through 6.0.11, FortiAnalyzer version 6.2.0 through 6.2.9, FortiAnalyzer version 6.4.0 through 6.4.7, FortiAnalyzer version 7.0.0 through 7 .0.2, FortiManager version 5.6.0 through 5.6.11, FortiManager version 6.0.0 through 6.0.11, FortiManager version 6.2.0 through 6.2.9, FortiManager version 6.4.0 through 6.4.7, FortiManager version 7.0.0 through 7.0.2 allows attacker to bypass the device policy and force the password-change action for its user. Fortinet FortiAnalyzer and FortiManager Exists in a fraudulent authentication vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet FortiAnalyzer is a centralized network security reporting solution from Fortinet. This product is mainly used to collect network log data, and analyze, report, and archive the security events, network traffic, and Web content in the logs through the report suite. Fortinet FortiAnalyzer has an access control error vulnerability, which is caused by network systems or products that do not properly restrict resource access from unauthorized roles. Attackers could exploit this vulnerability to bypass device policies and force their users to perform password changes

Trust: 1.8

sources: NVD: CVE-2022-22300 // JVNDB: JVNDB-2022-007383 // VULHUB: VHN-410854 // VULMON: CVE-2022-22300

AFFECTED PRODUCTS

vendor:fortinetmodel:fortianalyzerscope:ltversion:7.0.3

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:lteversion:6.0.11

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:gteversion:5.6.0

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:lteversion:6.2.9

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:gteversion:5.6.0

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:lteversion:5.6.11

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:lteversion:6.2.9

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:gteversion:6.2.0

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:lteversion:5.6.11

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:gteversion:7.0.0

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:gteversion:6.2.0

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:gteversion:7.0.0

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:gteversion:6.4.0

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:lteversion:6.4.7

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:gteversion:6.0.0

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:gteversion:6.4.0

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:lteversion:6.4.7

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:lteversion:6.0.11

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:gteversion:6.0.0

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:ltversion:7.0.3

Trust: 1.0

vendor:フォーティネットmodel:fortimanagerscope:eqversion:7.0.0 to 7.0.2

Trust: 0.8

vendor:フォーティネットmodel:fortianalyzerscope: - version: -

Trust: 0.8

vendor:フォーティネットmodel:fortimanagerscope:eqversion:5.6.0 to 5.6.11

Trust: 0.8

vendor:フォーティネットmodel:fortimanagerscope:eqversion:6.2.0 to 6.2.9

Trust: 0.8

vendor:フォーティネットmodel:fortimanagerscope:eqversion:6.4.0 to 6.4.7

Trust: 0.8

vendor:フォーティネットmodel:fortimanagerscope:eqversion:6.0.0 to 6.0.11

Trust: 0.8

sources: JVNDB: JVNDB-2022-007383 // NVD: CVE-2022-22300

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-22300
value: HIGH

Trust: 1.0

psirt@fortinet.com: CVE-2022-22300
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-22300
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202203-033
value: HIGH

Trust: 0.6

VULHUB: VHN-410854
value: MEDIUM

Trust: 0.1

VULMON: CVE-2022-22300
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2022-22300
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-410854
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2022-22300
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

psirt@fortinet.com: CVE-2022-22300
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 1.4
version: 3.1

Trust: 1.0

NVD: CVE-2022-22300
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-410854 // VULMON: CVE-2022-22300 // JVNDB: JVNDB-2022-007383 // CNNVD: CNNVD-202203-033 // NVD: CVE-2022-22300 // NVD: CVE-2022-22300

PROBLEMTYPE DATA

problemtype:CWE-755

Trust: 1.0

problemtype:Illegal authentication (CWE-863) [NVD evaluation ]

Trust: 0.8

problemtype:CWE-863

Trust: 0.1

sources: VULHUB: VHN-410854 // JVNDB: JVNDB-2022-007383 // NVD: CVE-2022-22300

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202203-033

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-202203-033

PATCH

title:FG-IR-21-255url:https://fortiguard.com/psirt/FG-IR-21-255

Trust: 0.8

title:Fortinet FortiAnalyzer Fixes for permissions and access control issues vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=184273

Trust: 0.6

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-23305

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-RCE

Trust: 0.1

sources: VULMON: CVE-2022-22300 // JVNDB: JVNDB-2022-007383 // CNNVD: CNNVD-202203-033

EXTERNAL IDS

db:NVDid:CVE-2022-22300

Trust: 3.4

db:JVNDBid:JVNDB-2022-007383

Trust: 0.8

db:AUSCERTid:ESB-2022.0857

Trust: 0.6

db:CS-HELPid:SB2022030127

Trust: 0.6

db:CNNVDid:CNNVD-202203-033

Trust: 0.6

db:CNVDid:CNVD-2022-18533

Trust: 0.1

db:VULHUBid:VHN-410854

Trust: 0.1

db:VULMONid:CVE-2022-22300

Trust: 0.1

sources: VULHUB: VHN-410854 // VULMON: CVE-2022-22300 // JVNDB: JVNDB-2022-007383 // CNNVD: CNNVD-202203-033 // NVD: CVE-2022-22300

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-21-255

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-22300

Trust: 0.8

url:https://vigilance.fr/vulnerability/fortianalyzer-fortimanager-denial-of-service-via-password-change-action-37683

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-22300/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.0857

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022030127

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/755.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://github.com/alphabugx/cve-2022-23305

Trust: 0.1

sources: VULHUB: VHN-410854 // VULMON: CVE-2022-22300 // JVNDB: JVNDB-2022-007383 // CNNVD: CNNVD-202203-033 // NVD: CVE-2022-22300

SOURCES

db:VULHUBid:VHN-410854
db:VULMONid:CVE-2022-22300
db:JVNDBid:JVNDB-2022-007383
db:CNNVDid:CNNVD-202203-033
db:NVDid:CVE-2022-22300

LAST UPDATE DATE

2024-08-14T14:18:03.584000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-410854date:2022-03-09T00:00:00
db:VULMONid:CVE-2022-22300date:2023-08-08T00:00:00
db:JVNDBid:JVNDB-2022-007383date:2023-07-14T02:37:00
db:CNNVDid:CNNVD-202203-033date:2022-03-10T00:00:00
db:NVDid:CVE-2022-22300date:2023-08-08T14:21:49.707

SOURCES RELEASE DATE

db:VULHUBid:VHN-410854date:2022-03-01T00:00:00
db:VULMONid:CVE-2022-22300date:2022-03-01T00:00:00
db:JVNDBid:JVNDB-2022-007383date:2023-07-14T00:00:00
db:CNNVDid:CNNVD-202203-033date:2022-03-01T00:00:00
db:NVDid:CVE-2022-22300date:2022-03-01T19:15:08.590