Sign-up

ID

VAR-202205-0408


CVE

CVE-2022-26116


TITLE

FortiNAC  In  SQL  Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-011444

DESCRIPTION

Multiple improper neutralization of special elements used in SQL commands ('SQL Injection') vulnerability [CWE-89] in FortiNAC version 8.3.7 and below, 8.5.2 and below, 8.5.4, 8.6.0, 8.6.5 and below, 8.7.6 and below, 8.8.11 and below, 9.1.5 and below, 9.2.2 and below may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted strings parameters. FortiNAC for, SQL There is an injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet FortiNAC is a network access control solution from Fortinet. This product is mainly used for network access control and IoT security protection. Fortinet FortiNAC versions 8.3.7 to 9.2.2 have a SQL injection vulnerability that stems from insufficient sanitization of user-supplied data. The vulnerability could be exploited by a remote user to send a specially crafted request to an affected application to execute arbitrary SQL commands in the application database. SQL commands

Trust: 2.34

sources: NVD: CVE-2022-26116 // JVNDB: JVNDB-2022-011444 // CNNVD: CNNVD-202205-2037 // VULHUB: VHN-416877 // VULMON: CVE-2022-26116

AFFECTED PRODUCTS

vendor:fortinetmodel:fortinacscope:lteversion:8.3.7

Trust: 1.0

vendor:fortinetmodel:fortinacscope:eqversion:8.5.4

Trust: 1.0

vendor:fortinetmodel:fortinacscope:lteversion:8.6.5

Trust: 1.0

vendor:fortinetmodel:fortinacscope:lteversion:8.7.6

Trust: 1.0

vendor:fortinetmodel:fortinacscope:lteversion:9.2.2

Trust: 1.0

vendor:fortinetmodel:fortinacscope:gteversion:9.1.0

Trust: 1.0

vendor:fortinetmodel:fortinacscope:lteversion:8.5.2

Trust: 1.0

vendor:fortinetmodel:fortinacscope:lteversion:9.1.5

Trust: 1.0

vendor:fortinetmodel:fortinacscope:lteversion:8.8.11

Trust: 1.0

vendor:fortinetmodel:fortinacscope:gteversion:8.5.0

Trust: 1.0

vendor:fortinetmodel:fortinacscope:gteversion:8.8.0

Trust: 1.0

vendor:fortinetmodel:fortinacscope:gteversion:9.2.0

Trust: 1.0

vendor:fortinetmodel:fortinacscope:gteversion:8.7.0

Trust: 1.0

vendor:fortinetmodel:fortinacscope:eqversion:8.6.0

Trust: 1.0

vendor:fortinetmodel:fortinacscope:gteversion:8.6.2

Trust: 1.0

vendor:フォーティネットmodel:fortinacscope: - version: -

Trust: 0.8

vendor:フォーティネットmodel:fortinacscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-011444 // NVD: CVE-2022-26116

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-26116
value: HIGH

Trust: 1.0

psirt@fortinet.com: CVE-2022-26116
value: HIGH

Trust: 1.0

NVD: CVE-2022-26116
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202205-2037
value: HIGH

Trust: 0.6

VULHUB: VHN-416877
value: MEDIUM

Trust: 0.1

VULMON: CVE-2022-26116
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2022-26116
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-416877
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2022-26116
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

psirt@fortinet.com: CVE-2022-26116
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2022-26116
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-416877 // VULMON: CVE-2022-26116 // JVNDB: JVNDB-2022-011444 // CNNVD: CNNVD-202205-2037 // NVD: CVE-2022-26116 // NVD: CVE-2022-26116

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.1

problemtype:SQL injection (CWE-89) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-416877 // JVNDB: JVNDB-2022-011444 // NVD: CVE-2022-26116

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202205-2037

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202205-2037

PATCH

title:FG-IR-22-062url:https://www.fortiguard.com/psirt/FG-IR-22-062

Trust: 0.8

title:Fortinet FortiNAC SQL Repair measures for injecting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=193411

Trust: 0.6

sources: JVNDB: JVNDB-2022-011444 // CNNVD: CNNVD-202205-2037

EXTERNAL IDS

db:NVDid:CVE-2022-26116

Trust: 3.4

db:JVNDBid:JVNDB-2022-011444

Trust: 0.8

db:CS-HELPid:SB2022050319

Trust: 0.6

db:CNNVDid:CNNVD-202205-2037

Trust: 0.6

db:CNVDid:CNVD-2022-50944

Trust: 0.1

db:VULHUBid:VHN-416877

Trust: 0.1

db:VULMONid:CVE-2022-26116

Trust: 0.1

sources: VULHUB: VHN-416877 // VULMON: CVE-2022-26116 // JVNDB: JVNDB-2022-011444 // CNNVD: CNNVD-202205-2037 // NVD: CVE-2022-26116

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-22-062

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-26116

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2022050319

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-26116/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/89.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-416877 // VULMON: CVE-2022-26116 // JVNDB: JVNDB-2022-011444 // CNNVD: CNNVD-202205-2037 // NVD: CVE-2022-26116

SOURCES

db:VULHUBid:VHN-416877
db:VULMONid:CVE-2022-26116
db:JVNDBid:JVNDB-2022-011444
db:CNNVDid:CNNVD-202205-2037
db:NVDid:CVE-2022-26116

LAST UPDATE DATE

2024-11-23T22:32:49.026000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-416877date:2022-05-18T00:00:00
db:VULMONid:CVE-2022-26116date:2022-05-18T00:00:00
db:JVNDBid:JVNDB-2022-011444date:2023-08-22T06:28:00
db:CNNVDid:CNNVD-202205-2037date:2022-05-19T00:00:00
db:NVDid:CVE-2022-26116date:2024-11-21T06:53:27.763

SOURCES RELEASE DATE

db:VULHUBid:VHN-416877date:2022-05-11T00:00:00
db:VULMONid:CVE-2022-26116date:2022-05-11T00:00:00
db:JVNDBid:JVNDB-2022-011444date:2023-08-22T00:00:00
db:CNNVDid:CNNVD-202205-2037date:2022-05-03T00:00:00
db:NVDid:CVE-2022-26116date:2022-05-11T08:15:06.687