ID

VAR-202302-1298


CVE

CVE-2022-38378


TITLE

fortinet's  FortiProxy  and  FortiOS  Vulnerability in privilege management in

Trust: 0.8

sources: JVNDB: JVNDB-2023-004441

DESCRIPTION

An improper privilege management vulnerability [CWE-269] in Fortinet FortiOS version 7.2.0 and before 7.0.7 and FortiProxy version 7.2.0 through 7.2.1 and before 7.0.7 allows an attacker that has access to the admin profile section (System subsection Administrator Users) to modify their own profile and upgrade their privileges to Read Write via CLI or GUI commands. fortinet's FortiProxy and FortiOS Exists in a permission management vulnerability.Information may be obtained and information may be tampered with

Trust: 1.8

sources: NVD: CVE-2022-38378 // JVNDB: JVNDB-2023-004441 // VULHUB: VHN-434172 // VULMON: CVE-2022-38378

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiproxyscope:lteversion:2.0.9

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:gteversion:7.2.0

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:gteversion:7.0.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:ltversion:7.2.1

Trust: 1.0

vendor:fortinetmodel:fortiosscope:ltversion:7.0.8

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:ltversion:7.2.2

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:ltversion:7.0.8

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:7.2.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:6.0.0

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:gteversion:1.1.0

Trust: 1.0

vendor:フォーティネットmodel:fortiosscope:eqversion:7.2.0 that's all 7.2.1

Trust: 0.8

vendor:フォーティネットmodel:fortiosscope:eqversion:6.0.0 that's all 7.0.8

Trust: 0.8

vendor:フォーティネットmodel:fortiproxyscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2023-004441 // NVD: CVE-2022-38378

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-38378
value: MEDIUM

Trust: 1.0

psirt@fortinet.com: CVE-2022-38378
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-38378
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202302-1438
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2022-38378
baseSeverity: MEDIUM
baseScore: 6.0
vectorString: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 0.8
impactScore: 5.2
version: 3.1

Trust: 1.0

psirt@fortinet.com: CVE-2022-38378
baseSeverity: MEDIUM
baseScore: 4.2
vectorString: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 0.8
impactScore: 3.4
version: 3.1

Trust: 1.0

NVD: CVE-2022-38378
baseSeverity: MEDIUM
baseScore: 6.0
vectorString: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2023-004441 // CNNVD: CNNVD-202302-1438 // NVD: CVE-2022-38378 // NVD: CVE-2022-38378

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.1

problemtype:Improper authority management (CWE-269) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-434172 // JVNDB: JVNDB-2023-004441 // NVD: CVE-2022-38378

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202302-1438

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202302-1438

PATCH

title:FG-IR-22-346url:https://fortiguard.com/psirt/FG-IR-22-346

Trust: 0.8

title:Fortinet FortiOS Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=226807

Trust: 0.6

sources: JVNDB: JVNDB-2023-004441 // CNNVD: CNNVD-202302-1438

EXTERNAL IDS

db:NVDid:CVE-2022-38378

Trust: 3.4

db:JVNDBid:JVNDB-2023-004441

Trust: 0.8

db:CNNVDid:CNNVD-202302-1438

Trust: 0.6

db:VULHUBid:VHN-434172

Trust: 0.1

db:VULMONid:CVE-2022-38378

Trust: 0.1

sources: VULHUB: VHN-434172 // VULMON: CVE-2022-38378 // JVNDB: JVNDB-2023-004441 // CNNVD: CNNVD-202302-1438 // NVD: CVE-2022-38378

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-22-346

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-38378

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-38378/

Trust: 0.6

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-434172 // VULMON: CVE-2022-38378 // JVNDB: JVNDB-2023-004441 // CNNVD: CNNVD-202302-1438 // NVD: CVE-2022-38378

SOURCES

db:VULHUBid:VHN-434172
db:VULMONid:CVE-2022-38378
db:JVNDBid:JVNDB-2023-004441
db:CNNVDid:CNNVD-202302-1438
db:NVDid:CVE-2022-38378

LAST UPDATE DATE

2024-08-14T13:42:03.976000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-434172date:2023-02-24T00:00:00
db:VULMONid:CVE-2022-38378date:2023-02-16T00:00:00
db:JVNDBid:JVNDB-2023-004441date:2023-10-30T06:16:00
db:CNNVDid:CNNVD-202302-1438date:2023-02-27T00:00:00
db:NVDid:CVE-2022-38378date:2023-11-07T03:50:06.943

SOURCES RELEASE DATE

db:VULHUBid:VHN-434172date:2023-02-16T00:00:00
db:VULMONid:CVE-2022-38378date:2023-02-16T00:00:00
db:JVNDBid:JVNDB-2023-004441date:2023-10-30T00:00:00
db:CNNVDid:CNNVD-202302-1438date:2023-02-16T00:00:00
db:NVDid:CVE-2022-38378date:2023-02-16T19:15:12.930