Details of VAR-202302-1418

ID

VAR-202302-1418

CVE

CVE-2022-41335

TITLE

Path traversal vulnerability in multiple Fortinet products

Trust: 0.8

sources: JVNDB: JVNDB-2022-019903

DESCRIPTION

A relative path traversal vulnerability [CWE-23] in Fortinet FortiOS version 7.2.0 through 7.2.2, 7.0.0 through 7.0.8 and before 6.4.10, FortiProxy version 7.2.0 through 7.2.1, 7.0.0 through 7.0.7 and before 2.0.10, FortiSwitchManager 7.2.0 and before 7.0.0 allows an authenticated attacker to read and write files on the underlying Linux system via crafted HTTP requests. fortinet's FortiSwitch Manager , FortiProxy , FortiOS Exists in a past traversal vulnerability.Information may be obtained and information may be tampered with

Trust: 1.8

sources: NVD: CVE-2022-41335 // JVNDB: JVNDB-2022-019903 // VULHUB: VHN-437474 // VULMON: CVE-2022-41335

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortiswitchmanager	scope:	eq	version:	7.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiproxy	scope:	gte	version:	7.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiproxy	scope:	lte	version:	1.1.6	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	eq	version:	7.2.1	Trust: 1.0
vendor:	fortinet	model:	fortiproxy	scope:	eq	version:	7.2.1	Trust: 1.0
vendor:	fortinet	model:	fortiproxy	scope:	gte	version:	1.1.0	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	lte	version:	6.2.12	Trust: 1.0
vendor:	fortinet	model:	fortiproxy	scope:	lte	version:	2.0.10	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	gte	version:	7.0.0	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	gte	version:	6.2.0	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	lte	version:	6.4.10	Trust: 1.0
vendor:	fortinet	model:	fortiproxy	scope:	lte	version:	1.2.13	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	eq	version:	7.2.0	Trust: 1.0
vendor:	fortinet	model:	fortiproxy	scope:	gte	version:	2.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiproxy	scope:	eq	version:	7.2.0	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	gte	version:	6.4.0	Trust: 1.0
vendor:	fortinet	model:	fortiproxy	scope:	gte	version:	1.2.0	Trust: 1.0
vendor:	fortinet	model:	fortiproxy	scope:	lte	version:	7.0.7	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	eq	version:	7.2.2	Trust: 1.0
vendor:	fortinet	model:	fortiswitchmanager	scope:	eq	version:	7.2.0	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	lte	version:	7.0.8	Trust: 1.0
vendor:	フォーティネット	model:	fortios	scope:	eq	version:	7.2.0	Trust: 0.8
vendor:	フォーティネット	model:	fortios	scope:	eq	version:	7.2.2	Trust: 0.8
vendor:	フォーティネット	model:	fortiswitch manager	scope:	-	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortiproxy	scope:	-	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortios	scope:	eq	version:	7.0.0 to 7.0.8	Trust: 0.8
vendor:	フォーティネット	model:	fortios	scope:	eq	version:	6.4.0 to 6.4.10	Trust: 0.8
vendor:	フォーティネット	model:	fortios	scope:	eq	version:	6.2.0 to 6.2.12	Trust: 0.8
vendor:	フォーティネット	model:	fortios	scope:	eq	version:	7.2.1	Trust: 0.8

sources: JVNDB: JVNDB-2022-019903 // NVD: CVE-2022-41335

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-41335
value:	HIGH
Trust: 1.0
psirt@fortinet.com:	CVE-2022-41335
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-41335
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202302-1427
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2022-41335
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	5.2
version:	3.1
Trust: 1.0
psirt@fortinet.com:	CVE-2022-41335
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2022-41335
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-019903 // CNNVD: CNNVD-202302-1427 // NVD: CVE-2022-41335 // NVD: CVE-2022-41335

PROBLEMTYPE DATA

problemtype:	CWE-22	Trust: 1.1
problemtype:	CWE-23	Trust: 1.0
problemtype:	Path traversal (CWE-22) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-437474 // JVNDB: JVNDB-2022-019903 // NVD: CVE-2022-41335

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202302-1427

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202302-1427

PATCH

title:	FG-IR-22-391	url:	https://www.fortiguard.com/psirt/FG-IR-22-391	Trust: 0.8
title:	Fortinet FortiOS and FortiSwitch Repair measures for path traversal vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=226970	Trust: 0.6

sources: JVNDB: JVNDB-2022-019903 // CNNVD: CNNVD-202302-1427

EXTERNAL IDS

db:	NVD	id:	CVE-2022-41335	Trust: 3.4
db:	JVNDB	id:	JVNDB-2022-019903	Trust: 0.8
db:	CNNVD	id:	CNNVD-202302-1427	Trust: 0.6
db:	VULHUB	id:	VHN-437474	Trust: 0.1
db:	VULMON	id:	CVE-2022-41335	Trust: 0.1

sources: VULHUB: VHN-437474 // VULMON: CVE-2022-41335 // JVNDB: JVNDB-2022-019903 // CNNVD: CNNVD-202302-1427 // NVD: CVE-2022-41335

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-22-391	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-41335	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-41335/	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-437474 // VULMON: CVE-2022-41335 // JVNDB: JVNDB-2022-019903 // CNNVD: CNNVD-202302-1427 // NVD: CVE-2022-41335

SOURCES

db:	VULHUB	id:	VHN-437474
db:	VULMON	id:	CVE-2022-41335
db:	JVNDB	id:	JVNDB-2022-019903
db:	CNNVD	id:	CNNVD-202302-1427
db:	NVD	id:	CVE-2022-41335

LAST UPDATE DATE

2024-08-14T14:10:18.521000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-437474	date:	2023-02-27T00:00:00
db:	VULMON	id:	CVE-2022-41335	date:	2023-02-16T00:00:00
db:	JVNDB	id:	JVNDB-2022-019903	date:	2023-10-30T01:23:00
db:	CNNVD	id:	CNNVD-202302-1427	date:	2023-02-28T00:00:00
db:	NVD	id:	CVE-2022-41335	date:	2023-11-07T03:52:48.110

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-437474	date:	2023-02-16T00:00:00
db:	VULMON	id:	CVE-2022-41335	date:	2023-02-16T00:00:00
db:	JVNDB	id:	JVNDB-2022-019903	date:	2023-10-30T00:00:00
db:	CNNVD	id:	CNNVD-202302-1427	date:	2023-02-16T00:00:00
db:	NVD	id:	CVE-2022-41335	date:	2023-02-16T19:15:13.513