Details of VAR-202207-0070

ID

VAR-202207-0070

CVE

CVE-2022-26118

TITLE

FortiManager and FortiAnalyzer Vulnerability in privilege management in

Trust: 0.8

sources: JVNDB: JVNDB-2022-015257

DESCRIPTION

A privilege chaining vulnerability [CWE-268] in FortiManager and FortiAnalyzer 6.0.x, 6.2.x, 6.4.0 through 6.4.7, 7.0.0 through 7.0.3 may allow a local and authenticated attacker with a restricted shell to escalate their privileges to root due to incorrect permissions of some folders and executable files on the system. FortiManager and FortiAnalyzer Exists in a permission management vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet FortiManager is a centralized network security management platform developed by Fortinet. The platform supports centralized management of any number of Fortinet devices, and can group devices into different management domains (ADOMs) to further simplify multi-device security deployment and management. Fortinet FortiManager has a security vulnerability

Trust: 1.71

sources: NVD: CVE-2022-26118 // JVNDB: JVNDB-2022-015257 // VULHUB: VHN-416879

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortimanager	scope:	lte	version:	6.0.11	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	gte	version:	7.0.0	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	gte	version:	6.4.0	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	lte	version:	6.2.9	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	lt	version:	6.4.8	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	gte	version:	6.4.0	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	lte	version:	6.2.9	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	lt	version:	7.0.4	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	lt	version:	6.4.8	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	gte	version:	6.2.0	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	lte	version:	6.0.11	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	lt	version:	7.0.4	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	gte	version:	7.0.0	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	gte	version:	6.2.0	Trust: 1.0
vendor:	フォーティネット	model:	fortianalyzer	scope:	-	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortimanager	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-015257 // NVD: CVE-2022-26118

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-26118
value:	MEDIUM
Trust: 1.0
psirt@fortinet.com:	CVE-2022-26118
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2022-015257
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202207-410
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2022-26118
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.8
impactScore:	5.9
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2022-015257
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-015257 // CNNVD: CNNVD-202207-410 // NVD: CVE-2022-26118 // NVD: CVE-2022-26118

PROBLEMTYPE DATA

problemtype:	CWE-269	Trust: 1.1
problemtype:	Improper authority management (CWE-269) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-416879 // JVNDB: JVNDB-2022-015257 // NVD: CVE-2022-26118

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202207-410

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202207-410

PATCH

title:	FG-IR-21-056	url:	https://www.fortiguard.com/psirt/FG-IR-21-056	Trust: 0.8
title:	Fortinet FortiManager Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=201342	Trust: 0.6

sources: JVNDB: JVNDB-2022-015257 // CNNVD: CNNVD-202207-410

EXTERNAL IDS

db:	NVD	id:	CVE-2022-26118	Trust: 3.4
db:	JVNDB	id:	JVNDB-2022-015257	Trust: 0.8
db:	CNNVD	id:	CNNVD-202207-410	Trust: 0.7
db:	CS-HELP	id:	SB2022070535	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.3267	Trust: 0.6
db:	VULHUB	id:	VHN-416879	Trust: 0.1
db:	VULMON	id:	CVE-2022-26118	Trust: 0.1

sources: VULHUB: VHN-416879 // VULMON: CVE-2022-26118 // JVNDB: JVNDB-2022-015257 // CNNVD: CNNVD-202207-410 // NVD: CVE-2022-26118

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-21-056	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2022-26118	Trust: 0.8
url:	https://vigilance.fr/vulnerability/fortinet-fortimanager-fortianalyzer-privilege-escalation-38741	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-26118/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.3267	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022070535	Trust: 0.6

sources: VULHUB: VHN-416879 // JVNDB: JVNDB-2022-015257 // CNNVD: CNNVD-202207-410 // NVD: CVE-2022-26118

SOURCES

db:	VULHUB	id:	VHN-416879
db:	VULMON	id:	CVE-2022-26118
db:	JVNDB	id:	JVNDB-2022-015257
db:	CNNVD	id:	CNNVD-202207-410
db:	NVD	id:	CVE-2022-26118

LAST UPDATE DATE

2024-08-14T13:22:03.884000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-416879	date:	2022-07-25T00:00:00
db:	JVNDB	id:	JVNDB-2022-015257	date:	2023-09-26T05:03:00
db:	CNNVD	id:	CNNVD-202207-410	date:	2022-07-26T00:00:00
db:	NVD	id:	CVE-2022-26118	date:	2022-07-25T14:12:44.407

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-416879	date:	2022-07-18T00:00:00
db:	JVNDB	id:	JVNDB-2022-015257	date:	2023-09-26T00:00:00
db:	CNNVD	id:	CNNVD-202207-410	date:	2022-07-05T00:00:00
db:	NVD	id:	CVE-2022-26118	date:	2022-07-18T18:15:09.070