Details of VAR-202302-1353

ID

VAR-202302-1353

CVE

CVE-2022-39954

TITLE

fortinet's FortiNAC and FortiNAC-F In XML External entity vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2022-019900

DESCRIPTION

An improper restriction of xml external entity reference in Fortinet FortiNAC version 9.4.0 through 9.4.1, FortiNAC version 9.2.0 through 9.2.7, FortiNAC version 9.1.0 through 9.1.8, FortiNAC version 8.8.0 through 8.8.11, FortiNAC version 8.7.0 through 8.7.6, FortiNAC version 8.6.0 through 8.6.5, FortiNAC version 8.5.0 through 8.5.4, FortiNAC version 8.3.7 allows attacker to read arbitrary files or trigger a denial of service via specifically crafted XML documents. fortinet's FortiNAC and FortiNAC-F for, XML There is a vulnerability in an external entity.Information is obtained and service operation is interrupted (DoS) It may be in a state

Trust: 1.8

sources: NVD: CVE-2022-39954 // JVNDB: JVNDB-2022-019900 // VULHUB: VHN-435751 // VULMON: CVE-2022-39954

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortinac	scope:	lt	version:	9.4.2	Trust: 1.0
vendor:	fortinet	model:	fortinac-f	scope:	lt	version:	7.2.0	Trust: 1.0
vendor:	fortinet	model:	fortinac	scope:	lte	version:	9.2.7	Trust: 1.0
vendor:	fortinet	model:	fortinac	scope:	gte	version:	9.4.0	Trust: 1.0
vendor:	fortinet	model:	fortinac	scope:	gte	version:	8.3.7	Trust: 1.0
vendor:	フォーティネット	model:	fortinac	scope:	-	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortinac-f	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-019900 // NVD: CVE-2022-39954

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-39954
value:	CRITICAL
Trust: 1.0
psirt@fortinet.com:	CVE-2022-39954
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-39954
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202302-1435
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2022-39954
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.2
version:	3.1
Trust: 1.0
psirt@fortinet.com:	CVE-2022-39954
baseSeverity:	HIGH
baseScore:	7.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	3.9
impactScore:	3.4
version:	3.1
Trust: 1.0
NVD:	CVE-2022-39954
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-019900 // CNNVD: CNNVD-202302-1435 // NVD: CVE-2022-39954 // NVD: CVE-2022-39954

PROBLEMTYPE DATA

problemtype:	CWE-611	Trust: 1.1
problemtype:	XML Improper restriction of external entity references (CWE-611) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-435751 // JVNDB: JVNDB-2022-019900 // NVD: CVE-2022-39954

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202302-1435

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202302-1435

PATCH

title:	FG-IR-22-304	url:	https://www.fortiguard.com/psirt/FG-IR-22-304	Trust: 0.8
title:	Fortinet FortiNAC Fixes for code issue vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=226975	Trust: 0.6

sources: JVNDB: JVNDB-2022-019900 // CNNVD: CNNVD-202302-1435

EXTERNAL IDS

db:	NVD	id:	CVE-2022-39954	Trust: 3.4
db:	JVNDB	id:	JVNDB-2022-019900	Trust: 0.8
db:	AUSCERT	id:	ESB-2023.1054	Trust: 0.6
db:	CNNVD	id:	CNNVD-202302-1435	Trust: 0.6
db:	VULHUB	id:	VHN-435751	Trust: 0.1
db:	VULMON	id:	CVE-2022-39954	Trust: 0.1

sources: VULHUB: VHN-435751 // VULMON: CVE-2022-39954 // JVNDB: JVNDB-2022-019900 // CNNVD: CNNVD-202302-1435 // NVD: CVE-2022-39954

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-22-304	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-39954	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-39954/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2023.1054	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-435751 // VULMON: CVE-2022-39954 // JVNDB: JVNDB-2022-019900 // CNNVD: CNNVD-202302-1435 // NVD: CVE-2022-39954

SOURCES

db:	VULHUB	id:	VHN-435751
db:	VULMON	id:	CVE-2022-39954
db:	JVNDB	id:	JVNDB-2022-019900
db:	CNNVD	id:	CNNVD-202302-1435
db:	NVD	id:	CVE-2022-39954

LAST UPDATE DATE

2024-08-14T14:30:44.521000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-435751	date:	2023-02-27T00:00:00
db:	VULMON	id:	CVE-2022-39954	date:	2023-02-16T00:00:00
db:	JVNDB	id:	JVNDB-2022-019900	date:	2023-10-30T01:08:00
db:	CNNVD	id:	CNNVD-202302-1435	date:	2023-02-28T00:00:00
db:	NVD	id:	CVE-2022-39954	date:	2023-11-07T03:50:41.493

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-435751	date:	2023-02-16T00:00:00
db:	VULMON	id:	CVE-2022-39954	date:	2023-02-16T00:00:00
db:	JVNDB	id:	JVNDB-2022-019900	date:	2023-10-30T00:00:00
db:	CNNVD	id:	CNNVD-202302-1435	date:	2023-02-16T00:00:00
db:	NVD	id:	CVE-2022-39954	date:	2023-02-16T19:15:13.120