CVE-2022-38377

An improper access control vulnerability [CWE-284] in FortiManager 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11 and FortiAnalyzer 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.10, 6.0.0 through 6.0.12 may allow a remote and authenticated admin user assigned to a specific ADOM to access other ADOMs information such as device information and dashboard information.

CVSS v3 2.7 LOW

2.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://fortiguard.com/psirt/FG-IR-20-143	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:fortinet:fortianalyzer::::::::
	cpe:2.3:a:fortinet:fortianalyzer::::::::
	cpe:2.3:a:fortinet:fortianalyzer::::::::
	cpe:2.3:a:fortinet:fortianalyzer::::::::
	cpe:2.3:a:fortinet:fortianalyzer:7.2.0:::::::*
	cpe:2.3:a:fortinet:fortimanager::::::::
	cpe:2.3:a:fortinet:fortimanager::::::::
	cpe:2.3:a:fortinet:fortimanager::::::::
	cpe:2.3:a:fortinet:fortimanager::::::::
	cpe:2.3:a:fortinet:fortimanager:7.2.0:::::::*

History

01 Dec 2022, 13:28

Type	Values Removed	Values Added
CPE		cpe:2.3:a:fortinet:fortianalyzer:::::::: cpe:2.3:a:fortinet:fortimanager:::::::: cpe:2.3:a:fortinet:fortimanager:7.2.0:::::::* cpe:2.3:a:fortinet:fortianalyzer:7.2.0:::::::*
References	~~(MISC) https://fortiguard.com/psirt/FG-IR-20-143 -~~	(MISC) https://fortiguard.com/psirt/FG-IR-20-143 - Patch, Vendor Advisory
First Time		Fortinet fortianalyzer Fortinet Fortinet fortimanager
CWE		NVD-CWE-Other
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 2.7

25 Nov 2022, 18:42

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-11-25 16:15

Updated : 2023-12-10 14:48

NVD link : CVE-2022-38377

Mitre link : CVE-2022-38377

CVE.ORG link : CVE-2022-38377

JSON object : View

Products Affected

fortinet

fortimanager
fortianalyzer

CWE

NVD-CWE-Other CWE-284

Improper Access Control

{"id": "CVE-2022-38377", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.2}, {"type": "Secondary", "source": "psirt@fortinet.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2022-11-25T16:15:10.747", "references": [{"url": "https://fortiguard.com/psirt/FG-IR-20-143", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@fortinet.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "psirt@fortinet.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "An improper access control vulnerability [CWE-284] in FortiManager 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11 and FortiAnalyzer 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.10, 6.0.0 through 6.0.12 may allow a remote and authenticated admin user assigned to a specific ADOM to access other ADOMs information such as device information and dashboard information."}, {"lang": "es", "value": "Una vulnerabilidad de control de acceso inadecuado [CWE-284] en FortiManager 7.2.0, 7.0.0 a 7.0.3, 6.4.0 a 6.4.7, 6.2.0 a 6.2.9, 6.0.0 a 6.0.11 y FortiAnalyzer 7.2 .0, 7.0.0 a 7.0.3, 6.4.0 a 6.4.8, 6.2.0 a 6.2.10, 6.0.0 a 6.0.12 pueden permitir que un usuario administrador remoto y autenticado asignado a un ADOM espec\u00edfico acceda a otros ADOM de informaci\u00f3n, como informaci\u00f3n del dispositivo e informaci\u00f3n del panel."}], "lastModified": "2023-11-07T03:50:06.800", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2318A6AC-AA3E-4604-968C-35A46E79FCB8", "versionEndIncluding": "6.0.12", "versionStartIncluding": "6.0.0"}, {"criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5E816164-8C08-4BF7-863B-112076AB6AE2", "versionEndIncluding": "6.2.10", "versionStartIncluding": "6.2.0"}, {"criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "19769C95-B563-476D-A4B3-6C317294F1E9", "versionEndIncluding": "6.4.8", "versionStartIncluding": "6.4.0"}, {"criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "42D096D2-1FCB-43A6-8CF3-3226F631BAC4", "versionEndIncluding": "7.0.3", "versionStartIncluding": "7.0.0"}, {"criteria": "cpe:2.3:a:fortinet:fortianalyzer:7.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "319D2F9D-E1E5-49C7-8ABD-0A64D7B05D58"}, {"criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FD729EF3-1665-4CE7-9FDD-450D5F79A2B9", "versionEndIncluding": "6.0.11", "versionStartIncluding": "6.0.0"}, {"criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7D79F4BE-B6BB-414A-A132-D3650B2B5B4F", "versionEndIncluding": "6.2.9", "versionStartIncluding": "6.2.0"}, {"criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "105F23CF-6375-402E-A2ED-9827510196EA", "versionEndIncluding": "6.4.7", "versionStartIncluding": "6.4.0"}, {"criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AA4F8D67-139F-4524-88D4-B32A1580BFBE", "versionEndIncluding": "7.0.3", "versionStartIncluding": "7.0.0"}, {"criteria": "cpe:2.3:a:fortinet:fortimanager:7.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "407755AA-0C23-4C5B-88A2-8BC12A3D268D"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@fortinet.com"}