CVE-2022-38375

An improper authorization vulnerability [CWE-285] in Fortinet FortiNAC version 9.4.0 through 9.4.1 and before 9.2.6 allows an unauthenticated user to perform some administrative operations over the FortiNAC instance via crafted HTTP POST requests.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://fortiguard.com/psirt/FG-IR-22-329	Vendor Advisory
https://fortiguard.com/psirt/FG-IR-22-329	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:fortinet:fortinac::::::::
	cpe:2.3:a:fortinet:fortinac::::::::
	cpe:2.3:a:fortinet:fortinac-f::::::::

History

21 Nov 2024, 07:16

Type	Values Removed	Values Added
References	~~() https://fortiguard.com/psirt/FG-IR-22-329 - Vendor Advisory~~	() https://fortiguard.com/psirt/FG-IR-22-329 - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~9.8~~	v2 : unknown v3 : 9.1

Information

Published : 2023-02-16 19:15

Updated : 2024-11-21 07:16

NVD link : CVE-2022-38375

Mitre link : CVE-2022-38375

CVE.ORG link : CVE-2022-38375

JSON object : View

Products Affected

fortinet

fortinac-f
fortinac

CWE

CWE-285

Improper Authorization

NVD-CWE-Other

{"id": "CVE-2022-38375", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@fortinet.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2023-02-16T19:15:12.797", "references": [{"url": "https://fortiguard.com/psirt/FG-IR-22-329", "tags": ["Vendor Advisory"], "source": "psirt@fortinet.com"}, {"url": "https://fortiguard.com/psirt/FG-IR-22-329", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "psirt@fortinet.com", "description": [{"lang": "en", "value": "CWE-285"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "An improper authorization vulnerability [CWE-285]\u00a0 in Fortinet FortiNAC version 9.4.0 through 9.4.1 and before 9.2.6 allows an unauthenticated user to perform some administrative operations over the FortiNAC instance via crafted HTTP POST requests."}], "lastModified": "2024-11-21T07:16:20.970", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortinac:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1AA31846-D095-4DC1-8FFC-B28447054A81", "versionEndExcluding": "9.2.7", "versionStartIncluding": "9.2.0"}, {"criteria": "cpe:2.3:a:fortinet:fortinac:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "84AEE221-36B9-41D6-A09F-B0D81AA79576", "versionEndExcluding": "9.4.2", "versionStartIncluding": "9.4.0"}, {"criteria": "cpe:2.3:a:fortinet:fortinac-f:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3979307-56D3-48DC-A09E-8FF75FE38664", "versionEndExcluding": "7.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@fortinet.com"}