Details of VAR-202203-0910

ID

VAR-202203-0910

CVE

CVE-2022-22303

TITLE

FortiManager Vulnerability regarding information leakage in

Trust: 0.8

sources: JVNDB: JVNDB-2022-007129

DESCRIPTION

An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiManager versions prior to 7.0.2, 6.4.7 and 6.2.9 may allow a low privileged authenticated user to gain access to the FortiGate users credentials via the config conflict file. FortiManager There is a vulnerability related to information leakage.Information may be obtained. Fortinet FortiGate is a network security platform developed by Fortinet. The platform provides functions such as firewall, antivirus and intrusion prevention (IPS), application control, antispam, wireless controller and WAN acceleration. Fortinet fortimanager has an access control error vulnerability, which is caused by improper access restrictions. Local users can view FortiGate user credentials through configuration conflict files

Trust: 1.8

sources: NVD: CVE-2022-22303 // JVNDB: JVNDB-2022-007129 // VULHUB: VHN-410857 // VULMON: CVE-2022-22303

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortimanager	scope:	gte	version:	6.4.0	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	lte	version:	6.2.9	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	lte	version:	6.4.7	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	gte	version:	7.0.0	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	lte	version:	7.0.2	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	gte	version:	6.2.0	Trust: 1.0
vendor:	フォーティネット	model:	fortimanager	scope:	eq	version:	6.2.9	Trust: 0.8
vendor:	フォーティネット	model:	fortimanager	scope:	eq	version:	7.0.2	Trust: 0.8
vendor:	フォーティネット	model:	fortimanager	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortimanager	scope:	eq	version:	6.4.7	Trust: 0.8

sources: JVNDB: JVNDB-2022-007129 // NVD: CVE-2022-22303

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-22303
value:	MEDIUM
Trust: 1.0
psirt@fortinet.com:	CVE-2022-22303
value:	LOW
Trust: 1.0
NVD:	CVE-2022-22303
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202203-027
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-410857
value:	LOW
Trust: 0.1
VULMON:	CVE-2022-22303
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2022-22303
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-410857
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-22303
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.1
Trust: 1.0
psirt@fortinet.com:	CVE-2022-22303
baseSeverity:	LOW
baseScore:	2.8
vectorString:	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.1
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2022-22303
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-410857 // VULMON: CVE-2022-22303 // JVNDB: JVNDB-2022-007129 // CNNVD: CNNVD-202203-027 // NVD: CVE-2022-22303 // NVD: CVE-2022-22303

PROBLEMTYPE DATA

problemtype:	CWE-200	Trust: 1.1
problemtype:	information leak (CWE-200) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-410857 // JVNDB: JVNDB-2022-007129 // NVD: CVE-2022-22303

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202203-027

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-202203-027

PATCH

title:	FG-IR-21-165	url:	https://www.fortiguard.com/psirt/FG-IR-21-165	Trust: 0.8
title:	Fortinet FortiGate Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=184549	Trust: 0.6
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-23305	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-RCE	Trust: 0.1

sources: VULMON: CVE-2022-22303 // JVNDB: JVNDB-2022-007129 // CNNVD: CNNVD-202203-027

EXTERNAL IDS

db:	NVD	id:	CVE-2022-22303	Trust: 3.4
db:	JVNDB	id:	JVNDB-2022-007129	Trust: 0.8
db:	CS-HELP	id:	SB2022030123	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.0860	Trust: 0.6
db:	CNNVD	id:	CNNVD-202203-027	Trust: 0.6
db:	CNVD	id:	CNVD-2022-18532	Trust: 0.1
db:	VULHUB	id:	VHN-410857	Trust: 0.1
db:	VULMON	id:	CVE-2022-22303	Trust: 0.1

sources: VULHUB: VHN-410857 // VULMON: CVE-2022-22303 // JVNDB: JVNDB-2022-007129 // CNNVD: CNNVD-202203-027 // NVD: CVE-2022-22303

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-21-165	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-22303	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2022.0860	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-22303/	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022030123	Trust: 0.6
url:	https://vigilance.fr/vulnerability/fortimanager-information-disclosure-via-config-conflict-file-cleartext-password-37682	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/200.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/alphabugx/cve-2022-23305	Trust: 0.1

sources: VULHUB: VHN-410857 // VULMON: CVE-2022-22303 // JVNDB: JVNDB-2022-007129 // CNNVD: CNNVD-202203-027 // NVD: CVE-2022-22303

SOURCES

db:	VULHUB	id:	VHN-410857
db:	VULMON	id:	CVE-2022-22303
db:	JVNDB	id:	JVNDB-2022-007129
db:	CNNVD	id:	CNNVD-202203-027
db:	NVD	id:	CVE-2022-22303

LAST UPDATE DATE

2024-08-14T13:42:57.154000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-410857	date:	2022-03-10T00:00:00
db:	VULMON	id:	CVE-2022-22303	date:	2022-03-10T00:00:00
db:	JVNDB	id:	JVNDB-2022-007129	date:	2023-07-12T07:40:00
db:	CNNVD	id:	CNNVD-202203-027	date:	2022-03-11T00:00:00
db:	NVD	id:	CVE-2022-22303	date:	2022-03-10T15:21:23.030

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-410857	date:	2022-03-02T00:00:00
db:	VULMON	id:	CVE-2022-22303	date:	2022-03-02T00:00:00
db:	JVNDB	id:	JVNDB-2022-007129	date:	2023-07-12T00:00:00
db:	CNNVD	id:	CNNVD-202203-027	date:	2022-03-01T00:00:00
db:	NVD	id:	CVE-2022-22303	date:	2022-03-02T10:15:08.037