ID

VAR-202203-0910


CVE

CVE-2022-22303


TITLE

FortiManager  Vulnerability regarding information leakage in

Trust: 0.8

sources: JVNDB: JVNDB-2022-007129

DESCRIPTION

An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiManager versions prior to 7.0.2, 6.4.7 and 6.2.9 may allow a low privileged authenticated user to gain access to the FortiGate users credentials via the config conflict file. FortiManager There is a vulnerability related to information leakage.Information may be obtained. Fortinet FortiGate is a network security platform developed by Fortinet. The platform provides functions such as firewall, antivirus and intrusion prevention (IPS), application control, antispam, wireless controller and WAN acceleration. Fortinet fortimanager has an access control error vulnerability, which is caused by improper access restrictions. Local users can view FortiGate user credentials through configuration conflict files

Trust: 1.8

sources: NVD: CVE-2022-22303 // JVNDB: JVNDB-2022-007129 // VULHUB: VHN-410857 // VULMON: CVE-2022-22303

AFFECTED PRODUCTS

vendor:fortinetmodel:fortimanagerscope:gteversion:6.4.0

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:lteversion:6.2.9

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:lteversion:6.4.7

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:gteversion:7.0.0

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:lteversion:7.0.2

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:gteversion:6.2.0

Trust: 1.0

vendor:フォーティネットmodel:fortimanagerscope:eqversion:6.2.9

Trust: 0.8

vendor:フォーティネットmodel:fortimanagerscope:eqversion:7.0.2

Trust: 0.8

vendor:フォーティネットmodel:fortimanagerscope:eqversion: -

Trust: 0.8

vendor:フォーティネットmodel:fortimanagerscope:eqversion:6.4.7

Trust: 0.8

sources: JVNDB: JVNDB-2022-007129 // NVD: CVE-2022-22303

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-22303
value: MEDIUM

Trust: 1.0

psirt@fortinet.com: CVE-2022-22303
value: LOW

Trust: 1.0

NVD: CVE-2022-22303
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202203-027
value: MEDIUM

Trust: 0.6

VULHUB: VHN-410857
value: LOW

Trust: 0.1

VULMON: CVE-2022-22303
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2022-22303
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-410857
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2022-22303
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.1

Trust: 1.0

psirt@fortinet.com: CVE-2022-22303
baseSeverity: LOW
baseScore: 2.8
vectorString: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.1
impactScore: 1.4
version: 3.1

Trust: 1.0

NVD: CVE-2022-22303
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-410857 // VULMON: CVE-2022-22303 // JVNDB: JVNDB-2022-007129 // CNNVD: CNNVD-202203-027 // NVD: CVE-2022-22303 // NVD: CVE-2022-22303

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.1

problemtype:information leak (CWE-200) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-410857 // JVNDB: JVNDB-2022-007129 // NVD: CVE-2022-22303

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202203-027

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-202203-027

PATCH

title:FG-IR-21-165url:https://www.fortiguard.com/psirt/FG-IR-21-165

Trust: 0.8

title:Fortinet FortiGate Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=184549

Trust: 0.6

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-23305

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-RCE

Trust: 0.1

sources: VULMON: CVE-2022-22303 // JVNDB: JVNDB-2022-007129 // CNNVD: CNNVD-202203-027

EXTERNAL IDS

db:NVDid:CVE-2022-22303

Trust: 3.4

db:JVNDBid:JVNDB-2022-007129

Trust: 0.8

db:CS-HELPid:SB2022030123

Trust: 0.6

db:AUSCERTid:ESB-2022.0860

Trust: 0.6

db:CNNVDid:CNNVD-202203-027

Trust: 0.6

db:CNVDid:CNVD-2022-18532

Trust: 0.1

db:VULHUBid:VHN-410857

Trust: 0.1

db:VULMONid:CVE-2022-22303

Trust: 0.1

sources: VULHUB: VHN-410857 // VULMON: CVE-2022-22303 // JVNDB: JVNDB-2022-007129 // CNNVD: CNNVD-202203-027 // NVD: CVE-2022-22303

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-21-165

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-22303

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2022.0860

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-22303/

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022030123

Trust: 0.6

url:https://vigilance.fr/vulnerability/fortimanager-information-disclosure-via-config-conflict-file-cleartext-password-37682

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/200.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://github.com/alphabugx/cve-2022-23305

Trust: 0.1

sources: VULHUB: VHN-410857 // VULMON: CVE-2022-22303 // JVNDB: JVNDB-2022-007129 // CNNVD: CNNVD-202203-027 // NVD: CVE-2022-22303

SOURCES

db:VULHUBid:VHN-410857
db:VULMONid:CVE-2022-22303
db:JVNDBid:JVNDB-2022-007129
db:CNNVDid:CNNVD-202203-027
db:NVDid:CVE-2022-22303

LAST UPDATE DATE

2024-08-14T13:42:57.154000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-410857date:2022-03-10T00:00:00
db:VULMONid:CVE-2022-22303date:2022-03-10T00:00:00
db:JVNDBid:JVNDB-2022-007129date:2023-07-12T07:40:00
db:CNNVDid:CNNVD-202203-027date:2022-03-11T00:00:00
db:NVDid:CVE-2022-22303date:2022-03-10T15:21:23.030

SOURCES RELEASE DATE

db:VULHUBid:VHN-410857date:2022-03-02T00:00:00
db:VULMONid:CVE-2022-22303date:2022-03-02T00:00:00
db:JVNDBid:JVNDB-2022-007129date:2023-07-12T00:00:00
db:CNNVDid:CNNVD-202203-027date:2022-03-01T00:00:00
db:NVDid:CVE-2022-22303date:2022-03-02T10:15:08.037