Sign-up

ID

VAR-202207-0114


CVE

CVE-2022-26117


TITLE

FortiNAC  Vulnerability in requesting weak passwords in

Trust: 0.8

sources: JVNDB: JVNDB-2022-015258

DESCRIPTION

An empty password in configuration file vulnerability [CWE-258] in FortiNAC version 8.3.7 and below, 8.5.2 and below, 8.5.4, 8.6.0, 8.6.5 and below, 8.7.6 and below, 8.8.11 and below, 9.1.5 and below, 9.2.3 and below may allow an authenticated attacker to access the MySQL databases via the CLI. FortiNAC contains a weak password requirement vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet FortiNAC is a set of network access control solutions from Fortinet. This product is mainly used for network access control and IoT security protection. Fortinet FortiNAC has a security vulnerability that stems from the fact that the root account accessing the MySQL database does not have a password set by default and allows connections from localhost. An attacker exploited this vulnerability to connect to a MySQL database as root. There is a security vulnerability in Fortinet FortiNAC

Trust: 2.25

sources: NVD: CVE-2022-26117 // JVNDB: JVNDB-2022-015258 // CNNVD: CNNVD-202207-383 // VULHUB: VHN-416878

AFFECTED PRODUCTS

vendor:fortinetmodel:fortinacscope:lteversion:8.7.6

Trust: 1.0

vendor:fortinetmodel:fortinacscope:ltversion:9.2.4

Trust: 1.0

vendor:fortinetmodel:fortinacscope:gteversion:9.2.0

Trust: 1.0

vendor:fortinetmodel:fortinacscope:gteversion:8.7.0

Trust: 1.0

vendor:fortinetmodel:fortinacscope:gteversion:8.6.2

Trust: 1.0

vendor:fortinetmodel:fortinacscope:lteversion:8.6.5

Trust: 1.0

vendor:fortinetmodel:fortinacscope:lteversion:8.5.2

Trust: 1.0

vendor:fortinetmodel:fortinacscope:gteversion:9.1.0

Trust: 1.0

vendor:fortinetmodel:fortinacscope:eqversion:8.3.7

Trust: 1.0

vendor:fortinetmodel:fortinacscope:eqversion:8.5.4

Trust: 1.0

vendor:fortinetmodel:fortinacscope:gteversion:8.8.0

Trust: 1.0

vendor:fortinetmodel:fortinacscope:eqversion:8.6.0

Trust: 1.0

vendor:fortinetmodel:fortinacscope:lteversion:8.8.11

Trust: 1.0

vendor:fortinetmodel:fortinacscope:gteversion:8.5.0

Trust: 1.0

vendor:fortinetmodel:fortinacscope:ltversion:9.1.6

Trust: 1.0

vendor:フォーティネットmodel:fortinacscope:lteversion:8.8.11 and earlier

Trust: 0.8

vendor:フォーティネットmodel:fortinacscope:lteversion:9.1.5 and earlier

Trust: 0.8

vendor:フォーティネットmodel:fortinacscope:lteversion:8.7.6 and earlier

Trust: 0.8

vendor:フォーティネットmodel:fortinacscope:eqversion:8.6.0

Trust: 0.8

vendor:フォーティネットmodel:fortinacscope:eqversion: -

Trust: 0.8

vendor:フォーティネットmodel:fortinacscope:lteversion:9.2.3 and earlier

Trust: 0.8

vendor:フォーティネットmodel:fortinacscope:eqversion:8.5.4

Trust: 0.8

vendor:フォーティネットmodel:fortinacscope:lteversion:8.3.7 and earlier

Trust: 0.8

vendor:フォーティネットmodel:fortinacscope:lteversion:8.5.2 and earlier

Trust: 0.8

vendor:フォーティネットmodel:fortinacscope:lteversion:8.6.5 and earlier

Trust: 0.8

sources: JVNDB: JVNDB-2022-015258 // NVD: CVE-2022-26117

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-26117
value: HIGH

Trust: 1.0

psirt@fortinet.com: CVE-2022-26117
value: HIGH

Trust: 1.0

OTHER: JVNDB-2022-015258
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202207-383
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2022-26117
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 2.0

OTHER: JVNDB-2022-015258
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-015258 // CNNVD: CNNVD-202207-383 // NVD: CVE-2022-26117 // NVD: CVE-2022-26117

PROBLEMTYPE DATA

problemtype:CWE-521

Trust: 1.1

problemtype:Weak password request (CWE-521) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-416878 // JVNDB: JVNDB-2022-015258 // NVD: CVE-2022-26117

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202207-383

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202207-383

PATCH

title:FG-IR-22-058url:https://www.fortiguard.com/psirt/FG-IR-22-058

Trust: 0.8

title:Fortinet FortiNAC Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=201341

Trust: 0.6

sources: JVNDB: JVNDB-2022-015258 // CNNVD: CNNVD-202207-383

EXTERNAL IDS

db:NVDid:CVE-2022-26117

Trust: 3.3

db:JVNDBid:JVNDB-2022-015258

Trust: 0.8

db:CNNVDid:CNNVD-202207-383

Trust: 0.7

db:AUSCERTid:ESB-2022.3268

Trust: 0.6

db:CS-HELPid:SB2022070529

Trust: 0.6

db:VULHUBid:VHN-416878

Trust: 0.1

sources: VULHUB: VHN-416878 // JVNDB: JVNDB-2022-015258 // CNNVD: CNNVD-202207-383 // NVD: CVE-2022-26117

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-22-058

Trust: 1.7

url:https://github.com/orangecertcc/security-research/security/advisories/ghsa-r259-5p5p-2q47

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2022-26117

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-26117/

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022070529

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.3268

Trust: 0.6

sources: VULHUB: VHN-416878 // JVNDB: JVNDB-2022-015258 // CNNVD: CNNVD-202207-383 // NVD: CVE-2022-26117

SOURCES

db:VULHUBid:VHN-416878
db:JVNDBid:JVNDB-2022-015258
db:CNNVDid:CNNVD-202207-383
db:NVDid:CVE-2022-26117

LAST UPDATE DATE

2024-08-14T15:21:45.915000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-416878date:2023-02-16T00:00:00
db:JVNDBid:JVNDB-2022-015258date:2023-09-26T05:07:00
db:CNNVDid:CNNVD-202207-383date:2023-02-01T00:00:00
db:NVDid:CVE-2022-26117date:2023-02-16T19:28:48.090

SOURCES RELEASE DATE

db:VULHUBid:VHN-416878date:2022-07-18T00:00:00
db:JVNDBid:JVNDB-2022-015258date:2023-09-26T00:00:00
db:CNNVDid:CNNVD-202207-383date:2022-07-05T00:00:00
db:NVDid:CVE-2022-26117date:2022-07-18T18:15:09.017