Sign-up

ID

VAR-202210-0198


CVE

CVE-2022-40684


TITLE

Fortinet FortiOS Access control error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202210-347

DESCRIPTION

An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. Fortinet FortiOS is a set of security operating system dedicated to the FortiGate network security platform developed by Fortinet. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSLVPN, Web content filtering and anti-spam. Fortinet FortiOS has security flaws. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements

Trust: 0.99

sources: NVD: CVE-2022-40684 // VULHUB: VHN-429172

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiproxyscope:eqversion:7.2.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:7.2.0

Trust: 1.0

vendor:fortinetmodel:fortiswitchmanagerscope:eqversion:7.2.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:ltversion:7.2.2

Trust: 1.0

vendor:fortinetmodel:fortiswitchmanagerscope:eqversion:7.0.0

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:gteversion:7.0.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:7.0.0

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:ltversion:7.0.7

Trust: 1.0

vendor:fortinetmodel:fortiosscope:ltversion:7.0.7

Trust: 1.0

sources: NVD: CVE-2022-40684

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2022-40684
value: CRITICAL

Trust: 1.0

CNNVD: CNNVD-202210-347
value: CRITICAL

Trust: 0.6

NVD: CVE-2022-40684
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: NVD: CVE-2022-40684 // CNNVD: CNNVD-202210-347

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.1

sources: VULHUB: VHN-429172 // NVD: CVE-2022-40684

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202210-347

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202210-347

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2022-40684

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-429172

EXTERNAL IDS
db:PACKETSTORMid:169431
Trust: 1.7
db:NVDid:CVE-2022-40684
Trust: 1.7
db:PACKETSTORMid:171515
Trust: 1.6
db:CNNVDid:CNNVD-202210-347
Trust: 0.7
db:EXPLOIT-DBid:51092
Trust: 0.6
db:VULHUBid:VHN-429172
Trust: 0.1
sources:
            
            
            VULHUB: VHN-429172 // 
            
            
            
            NVD: CVE-2022-40684 // 
            
            
            
            CNNVD: CNNVD-202210-347

REFERENCES
url:http://packetstormsecurity.com/files/169431/fortinet-fortios-fortiproxy-fortiswitchmanager-authentication-bypass.html
Trust: 2.3
url:https://fortiguard.com/psirt/fg-ir-22-377
Trust: 1.7
url:http://packetstormsecurity.com/files/171515/fortinet-7.2.1-authentication-bypass.html
Trust: 1.6
url:https://vigilance.fr/vulnerability/fortios-privilege-escalation-39490
Trust: 0.6
url:https://cxsecurity.com/cveshow/cve-2022-40684/
Trust: 0.6
url:https://vigilance.fr/vulnerability/fortinet-fortios-privilege-escalation-via-http-https-administrative-interface-39490
Trust: 0.6
url:https://www.exploit-db.com/exploits/51092
Trust: 0.6
sources:
            
            
            VULHUB: VHN-429172 // 
            
            
            
            NVD: CVE-2022-40684 // 
            
            
            
            CNNVD: CNNVD-202210-347

SOURCES
db:VULHUBid:VHN-429172
db:NVDid:CVE-2022-40684
db:CNNVDid:CNNVD-202210-347

LAST UPDATE DATE
2023-04-21T16:49:16.060000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-429172date:2022-10-20T00:00:00
db:NVDid:CVE-2022-40684date:2023-03-27T18:15:00
db:CNNVDid:CNNVD-202210-347date:2023-03-28T00:00:00

SOURCES RELEASE DATE
db:VULHUBid:VHN-429172date:2022-10-18T00:00:00
db:NVDid:CVE-2022-40684date:2022-10-18T14:15:00
db:CNNVDid:CNNVD-202210-347date:2022-10-07T00:00:00