ID

VAR-202210-0408


CVE

CVE-2022-26121


TITLE

fortinet's  FortiManager  and  FortiAnalyzer  Vulnerability in leaking resources to the wrong area in

Trust: 0.8

sources: JVNDB: JVNDB-2022-018953

DESCRIPTION

An exposure of resource to wrong sphere vulnerability [CWE-668] in FortiAnalyzer and FortiManager GUI 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11, 5.6.0 through 5.6.11 may allow an unauthenticated and remote attacker to access report template images via referencing the name in the URL path. fortinet's FortiManager and FortiAnalyzer Exists in a vulnerability related to the leakage of resources to the wrong area.Information may be obtained. Both Fortinet FortiManager and Fortinet FortiAnalyzer are products of Fortinet. Fortinet FortiManager is a centralized network security management platform. The platform supports centralized management of any number of Fortinet devices, and can group devices into different management domains (ADOMs) to further simplify multi-device security deployment and management. Fortinet FortiAnalyzer is a centralized network security reporting solution. This product is mainly used to collect network log data, and analyze, report, and archive the security events, network traffic, and Web content in the logs through the report suite. The following products and versions are affected: FortiAnalyzer versions 7.0.0 to 7.0.3, 6.4.0 to 6.4.8, 6.2.0 to 6.2.9, 6.0.0 to 6.0.11, 5.6.0 to 5.6. 11 versions, FortiManager GUI versions 7.0.0 to 7.0.3, 6.4.0 to 6.4.8, 6.2.0 to 6.2.9, 6.0.0 to 6.0.11, 5.6.0 to 5.6.11

Trust: 1.71

sources: NVD: CVE-2022-26121 // JVNDB: JVNDB-2022-018953 // VULHUB: VHN-416882

AFFECTED PRODUCTS

vendor:fortinetmodel:fortimanagerscope:lteversion:6.0.11

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:gtversion:6.0.0

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:lteversion:6.2.9

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:lteversion:7.0.3

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:lteversion:5.6.11

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:gtversion:5.6.0

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:lteversion:6.2.9

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:lteversion:7.0.3

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:lteversion:5.6.11

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:gtversion:5.6.0

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:lteversion:6.4.8

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:gtversion:6.2.0

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:lteversion:6.4.8

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:gtversion:7.0.0

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:gtversion:6.2.0

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:gtversion:7.0.0

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:gtversion:6.4.0

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:lteversion:6.0.11

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:gtversion:6.0.0

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:gtversion:6.4.0

Trust: 1.0

vendor:フォーティネットmodel:fortianalyzerscope: - version: -

Trust: 0.8

vendor:フォーティネットmodel:fortimanagerscope:eqversion:6.0.0 greater than 6.0.11 to

Trust: 0.8

vendor:フォーティネットmodel:fortimanagerscope:eqversion:7.0.0 greater than 7.0.3 to

Trust: 0.8

vendor:フォーティネットmodel:fortimanagerscope:eqversion:5.6.0 greater than 5.6.11 to

Trust: 0.8

vendor:フォーティネットmodel:fortimanagerscope:eqversion:6.2.0 greater than 6.2.9 to

Trust: 0.8

vendor:フォーティネットmodel:fortimanagerscope:eqversion:6.4.0 greater than 6.4.8 to

Trust: 0.8

sources: JVNDB: JVNDB-2022-018953 // NVD: CVE-2022-26121

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-26121
value: MEDIUM

Trust: 1.0

psirt@fortinet.com: CVE-2022-26121
value: LOW

Trust: 1.0

NVD: CVE-2022-26121
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202210-359
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2022-26121
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 1.4
version: 3.1

Trust: 1.0

psirt@fortinet.com: CVE-2022-26121
baseSeverity: LOW
baseScore: 3.7
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 1.4
version: 3.1

Trust: 1.0

NVD: CVE-2022-26121
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-018953 // CNNVD: CNNVD-202210-359 // NVD: CVE-2022-26121 // NVD: CVE-2022-26121

PROBLEMTYPE DATA

problemtype:CWE-668

Trust: 1.1

problemtype:Leakage of resources to the wrong area (CWE-668) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-416882 // JVNDB: JVNDB-2022-018953 // NVD: CVE-2022-26121

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202210-359

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202210-359

PATCH

title:FG-IR-22-026url:https://www.fortiguard.com/psirt/FG-IR-22-026

Trust: 0.8

title:Fortinet FortiManager and FortiAnalyzer Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=210013

Trust: 0.6

sources: JVNDB: JVNDB-2022-018953 // CNNVD: CNNVD-202210-359

EXTERNAL IDS

db:NVDid:CVE-2022-26121

Trust: 3.3

db:JVNDBid:JVNDB-2022-018953

Trust: 0.8

db:CNNVDid:CNNVD-202210-359

Trust: 0.7

db:VULHUBid:VHN-416882

Trust: 0.1

sources: VULHUB: VHN-416882 // JVNDB: JVNDB-2022-018953 // CNNVD: CNNVD-202210-359 // NVD: CVE-2022-26121

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-22-026

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2022-26121

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-26121/

Trust: 0.6

url:https://vigilance.fr/vulnerability/fortinet-fortianalyzer-fortimanager-information-disclosure-via-gui-template-image-39500

Trust: 0.6

sources: VULHUB: VHN-416882 // JVNDB: JVNDB-2022-018953 // CNNVD: CNNVD-202210-359 // NVD: CVE-2022-26121

SOURCES

db:VULHUBid:VHN-416882
db:JVNDBid:JVNDB-2022-018953
db:CNNVDid:CNNVD-202210-359
db:NVDid:CVE-2022-26121

LAST UPDATE DATE

2024-08-14T15:27:04.423000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-416882date:2022-10-12T00:00:00
db:JVNDBid:JVNDB-2022-018953date:2023-10-24T02:20:00
db:CNNVDid:CNNVD-202210-359date:2022-10-13T00:00:00
db:NVDid:CVE-2022-26121date:2022-10-12T18:44:41.780

SOURCES RELEASE DATE

db:VULHUBid:VHN-416882date:2022-10-10T00:00:00
db:JVNDBid:JVNDB-2022-018953date:2023-10-24T00:00:00
db:CNNVDid:CNNVD-202210-359date:2022-10-10T00:00:00
db:NVDid:CVE-2022-26121date:2022-10-10T14:15:09.727