Details of VAR-202210-0408

ID

VAR-202210-0408

CVE

CVE-2022-26121

TITLE

fortinet's FortiManager and FortiAnalyzer Vulnerability in leaking resources to the wrong area in

Trust: 0.8

sources: JVNDB: JVNDB-2022-018953

DESCRIPTION

An exposure of resource to wrong sphere vulnerability [CWE-668] in FortiAnalyzer and FortiManager GUI 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11, 5.6.0 through 5.6.11 may allow an unauthenticated and remote attacker to access report template images via referencing the name in the URL path. fortinet's FortiManager and FortiAnalyzer Exists in a vulnerability related to the leakage of resources to the wrong area.Information may be obtained. Both Fortinet FortiManager and Fortinet FortiAnalyzer are products of Fortinet. Fortinet FortiManager is a centralized network security management platform. The platform supports centralized management of any number of Fortinet devices, and can group devices into different management domains (ADOMs) to further simplify multi-device security deployment and management. Fortinet FortiAnalyzer is a centralized network security reporting solution. This product is mainly used to collect network log data, and analyze, report, and archive the security events, network traffic, and Web content in the logs through the report suite. The following products and versions are affected: FortiAnalyzer versions 7.0.0 to 7.0.3, 6.4.0 to 6.4.8, 6.2.0 to 6.2.9, 6.0.0 to 6.0.11, 5.6.0 to 5.6. 11 versions, FortiManager GUI versions 7.0.0 to 7.0.3, 6.4.0 to 6.4.8, 6.2.0 to 6.2.9, 6.0.0 to 6.0.11, 5.6.0 to 5.6.11

Trust: 1.71

sources: NVD: CVE-2022-26121 // JVNDB: JVNDB-2022-018953 // VULHUB: VHN-416882

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortimanager	scope:	lte	version:	6.0.11	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	gt	version:	6.0.0	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	lte	version:	6.2.9	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	lte	version:	7.0.3	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	lte	version:	5.6.11	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	gt	version:	5.6.0	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	lte	version:	6.2.9	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	lte	version:	7.0.3	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	lte	version:	5.6.11	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	gt	version:	5.6.0	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	lte	version:	6.4.8	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	gt	version:	6.2.0	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	lte	version:	6.4.8	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	gt	version:	7.0.0	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	gt	version:	6.2.0	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	gt	version:	7.0.0	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	gt	version:	6.4.0	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	lte	version:	6.0.11	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	gt	version:	6.0.0	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	gt	version:	6.4.0	Trust: 1.0
vendor:	フォーティネット	model:	fortianalyzer	scope:	-	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortimanager	scope:	eq	version:	6.0.0 greater than 6.0.11 to	Trust: 0.8
vendor:	フォーティネット	model:	fortimanager	scope:	eq	version:	7.0.0 greater than 7.0.3 to	Trust: 0.8
vendor:	フォーティネット	model:	fortimanager	scope:	eq	version:	5.6.0 greater than 5.6.11 to	Trust: 0.8
vendor:	フォーティネット	model:	fortimanager	scope:	eq	version:	6.2.0 greater than 6.2.9 to	Trust: 0.8
vendor:	フォーティネット	model:	fortimanager	scope:	eq	version:	6.4.0 greater than 6.4.8 to	Trust: 0.8

sources: JVNDB: JVNDB-2022-018953 // NVD: CVE-2022-26121

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-26121
value:	MEDIUM
Trust: 1.0
psirt@fortinet.com:	CVE-2022-26121
value:	LOW
Trust: 1.0
NVD:	CVE-2022-26121
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202210-359
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2022-26121
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
psirt@fortinet.com:	CVE-2022-26121
baseSeverity:	LOW
baseScore:	3.7
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.2
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2022-26121
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-018953 // CNNVD: CNNVD-202210-359 // NVD: CVE-2022-26121 // NVD: CVE-2022-26121

PROBLEMTYPE DATA

problemtype:	CWE-668	Trust: 1.1
problemtype:	Leakage of resources to the wrong area (CWE-668) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-416882 // JVNDB: JVNDB-2022-018953 // NVD: CVE-2022-26121

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202210-359

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202210-359

PATCH

title:	FG-IR-22-026	url:	https://www.fortiguard.com/psirt/FG-IR-22-026	Trust: 0.8
title:	Fortinet FortiManager and FortiAnalyzer Security vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=210013	Trust: 0.6

sources: JVNDB: JVNDB-2022-018953 // CNNVD: CNNVD-202210-359

EXTERNAL IDS

db:	NVD	id:	CVE-2022-26121	Trust: 3.3
db:	JVNDB	id:	JVNDB-2022-018953	Trust: 0.8
db:	CNNVD	id:	CNNVD-202210-359	Trust: 0.7
db:	VULHUB	id:	VHN-416882	Trust: 0.1

sources: VULHUB: VHN-416882 // JVNDB: JVNDB-2022-018953 // CNNVD: CNNVD-202210-359 // NVD: CVE-2022-26121

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-22-026	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2022-26121	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-26121/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/fortinet-fortianalyzer-fortimanager-information-disclosure-via-gui-template-image-39500	Trust: 0.6

sources: VULHUB: VHN-416882 // JVNDB: JVNDB-2022-018953 // CNNVD: CNNVD-202210-359 // NVD: CVE-2022-26121

SOURCES

db:	VULHUB	id:	VHN-416882
db:	JVNDB	id:	JVNDB-2022-018953
db:	CNNVD	id:	CNNVD-202210-359
db:	NVD	id:	CVE-2022-26121

LAST UPDATE DATE

2024-08-14T15:27:04.423000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-416882	date:	2022-10-12T00:00:00
db:	JVNDB	id:	JVNDB-2022-018953	date:	2023-10-24T02:20:00
db:	CNNVD	id:	CNNVD-202210-359	date:	2022-10-13T00:00:00
db:	NVD	id:	CVE-2022-26121	date:	2022-10-12T18:44:41.780

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-416882	date:	2022-10-10T00:00:00
db:	JVNDB	id:	JVNDB-2022-018953	date:	2023-10-24T00:00:00
db:	CNNVD	id:	CNNVD-202210-359	date:	2022-10-10T00:00:00
db:	NVD	id:	CVE-2022-26121	date:	2022-10-10T14:15:09.727