Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-22300

A improper handling of insufficient permissions or privileges in Fortinet FortiAnalyzer version 5.6.0 through 5.6.11, FortiAnalyzer version 6.0.0 through 6.0.11, FortiAnalyzer version 6.2.0 through 6.2.9, FortiAnalyzer version 6.4.0 through 6.4.7, FortiAnalyzer version 7.0.0 through 7 .0.2, FortiManager version 5.6.0 through 5.6.11, FortiManager version 6.0.0 through 6.0.11, FortiManager version 6.2.0 through 6.2.9, FortiManager version 6.4.0 through 6.4.7, FortiManager version 7.0.0 through 7.0.2 allows attacker to bypass the device policy and force the password-change action for its user.

Published

2022-03-01T19:15:08.590

Last Modified

2024-11-21T06:46:35.730

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-755

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	fortinet	fortianalyzer	≤ 5.6.11	Yes
Application	fortinet	fortianalyzer	≤ 6.0.11	Yes
Application	fortinet	fortianalyzer	≤ 6.2.9	Yes
Application	fortinet	fortianalyzer	≤ 6.4.7	Yes
Application	fortinet	fortianalyzer	< 7.0.3	Yes
Application	fortinet	fortimanager	≤ 5.6.11	Yes
Application	fortinet	fortimanager	≤ 6.0.11	Yes
Application	fortinet	fortimanager	≤ 6.2.9	Yes
Application	fortinet	fortimanager	≤ 6.4.7	Yes
Application	fortinet	fortimanager	< 7.0.3	Yes

References

https://fortiguard.com/psirt/FG-IR-21-255 Vendor Advisory ([email protected])
https://fortiguard.com/psirt/FG-IR-21-255 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)