Details of VAR-202206-0575

ID

VAR-202206-0575

CVE

CVE-2022-29060

TITLE

FortiDDoS API Vulnerability in using hard-coded credentials in

Trust: 0.8

sources: JVNDB: JVNDB-2022-015696

DESCRIPTION

A use of hard-coded cryptographic key vulnerability [CWE-321] in FortiDDoS API 5.5.0 through 5.5.1, 5.4.0 through 5.4.2, 5.3.0 through 5.3.1, 5.2.0, 5.1.0 may allow an attacker who managed to retrieve the key from one device to sign JWT tokens for any device. FortiDDoS API Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet FortiDDoS is the only inspectable DDoS mitigation platform from Fortinet USA. Fortinet FortiDDoS has a security flaw that stems from the use of hard-coded encryption keys

Trust: 1.8

sources: NVD: CVE-2022-29060 // JVNDB: JVNDB-2022-015696 // VULHUB: VHN-420594 // VULMON: CVE-2022-29060

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortiddos	scope:	eq	version:	5.3.1	Trust: 1.0
vendor:	fortinet	model:	fortiddos	scope:	eq	version:	5.2.0	Trust: 1.0
vendor:	fortinet	model:	fortiddos	scope:	eq	version:	5.5.0	Trust: 1.0
vendor:	fortinet	model:	fortiddos	scope:	eq	version:	5.4.2	Trust: 1.0
vendor:	fortinet	model:	fortiddos	scope:	eq	version:	5.5.1	Trust: 1.0
vendor:	fortinet	model:	fortiddos	scope:	eq	version:	5.4.0	Trust: 1.0
vendor:	fortinet	model:	fortiddos	scope:	eq	version:	5.3.0	Trust: 1.0
vendor:	fortinet	model:	fortiddos	scope:	eq	version:	5.1.0	Trust: 1.0
vendor:	fortinet	model:	fortiddos	scope:	eq	version:	5.4.1	Trust: 1.0
vendor:	フォーティネット	model:	fortiddos	scope:	eq	version:	5.5.0 to 5.5.1	Trust: 0.8
vendor:	フォーティネット	model:	fortiddos	scope:	eq	version:	5.3.0 to 5.3.1	Trust: 0.8
vendor:	フォーティネット	model:	fortiddos	scope:	eq	version:	5.1.0	Trust: 0.8
vendor:	フォーティネット	model:	fortiddos	scope:	eq	version:	5.2.0	Trust: 0.8
vendor:	フォーティネット	model:	fortiddos	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortiddos	scope:	eq	version:	5.4.0 to 5.4.2	Trust: 0.8

sources: JVNDB: JVNDB-2022-015696 // NVD: CVE-2022-29060

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-29060
value:	HIGH
Trust: 1.0
psirt@fortinet.com:	CVE-2022-29060
value:	HIGH
Trust: 1.0
OTHER:	JVNDB-2022-015696
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202206-761
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2022-29060
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.2
impactScore:	5.9
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2022-015696
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-015696 // CNNVD: CNNVD-202206-761 // NVD: CVE-2022-29060 // NVD: CVE-2022-29060

PROBLEMTYPE DATA

problemtype:	CWE-798	Trust: 1.1
problemtype:	Use hard-coded credentials (CWE-798) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-420594 // JVNDB: JVNDB-2022-015696 // NVD: CVE-2022-29060

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202206-761

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202206-761

PATCH

title:	FG-IR-22-071	url:	https://www.fortiguard.com/psirt/FG-IR-22-071	Trust: 0.8
title:	Fortinet FortiDDoS Repair measures for trust management problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=201661	Trust: 0.6

sources: JVNDB: JVNDB-2022-015696 // CNNVD: CNNVD-202206-761

EXTERNAL IDS

db:	NVD	id:	CVE-2022-29060	Trust: 3.4
db:	JVNDB	id:	JVNDB-2022-015696	Trust: 0.8
db:	CNNVD	id:	CNNVD-202206-761	Trust: 0.7
db:	CS-HELP	id:	SB2022060725	Trust: 0.6
db:	VULHUB	id:	VHN-420594	Trust: 0.1
db:	VULMON	id:	CVE-2022-29060	Trust: 0.1

sources: VULHUB: VHN-420594 // VULMON: CVE-2022-29060 // JVNDB: JVNDB-2022-015696 // CNNVD: CNNVD-202206-761 // NVD: CVE-2022-29060

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-22-071	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-29060	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2022060725	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-29060/	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-420594 // VULMON: CVE-2022-29060 // JVNDB: JVNDB-2022-015696 // CNNVD: CNNVD-202206-761 // NVD: CVE-2022-29060

SOURCES

db:	VULHUB	id:	VHN-420594
db:	VULMON	id:	CVE-2022-29060
db:	JVNDB	id:	JVNDB-2022-015696
db:	CNNVD	id:	CNNVD-202206-761
db:	NVD	id:	CVE-2022-29060

LAST UPDATE DATE

2024-08-14T14:55:26.463000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-420594	date:	2022-07-27T00:00:00
db:	VULMON	id:	CVE-2022-29060	date:	2022-07-19T00:00:00
db:	JVNDB	id:	JVNDB-2022-015696	date:	2023-09-28T07:48:00
db:	CNNVD	id:	CNNVD-202206-761	date:	2022-07-29T00:00:00
db:	NVD	id:	CVE-2022-29060	date:	2022-07-27T12:50:13.893

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-420594	date:	2022-07-19T00:00:00
db:	VULMON	id:	CVE-2022-29060	date:	2022-07-19T00:00:00
db:	JVNDB	id:	JVNDB-2022-015696	date:	2023-09-28T00:00:00
db:	CNNVD	id:	CNNVD-202206-761	date:	2022-06-07T00:00:00
db:	NVD	id:	CVE-2022-29060	date:	2022-07-19T14:15:08.603