Lucene search

FortinetCVE-2022-22302

HistoryJul 11, 2023 - 9:15 a.m.

CVE-2022-22302

2023-07-1109:15:09

CWE-312

fortinet

web.nvd.nist.gov

700

cve-2022-22302

fortigate

fortiauthenticator

cwe-312

vulnerability

nvd

security

sensitive information

clear text storage

local unauthorized access

private keys

filesystem access

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U

AI Score

3.3

Confidence

High

EPSS

Percentile

9.0%

JSON

A clear text storage of sensitive information (CWE-312) vulnerability in both FortiGate version 6.4.0 through 6.4.1, 6.2.0 through 6.2.9 and 6.0.0 through 6.0.13 and FortiAuthenticator version 5.5.0 and all versions of 6.1 and 6.0 may allow a local unauthorized party to retrieve the Fortinet private keys used to establish secure communication with both Apple Push Notification and Google Cloud Messaging services, via accessing the files on the filesystem.

Affected configurations

Nvd

Node

fortinetfortiauthenticatorRange6.0.0–6.0.4

fortinetfortiauthenticatorMatch5.5.0

fortinetfortiauthenticatorMatch6.1.0

fortinetfortiosRange6.0.0–6.0.13

fortinetfortiosRange6.2.0–6.2.9

fortinetfortiosMatch6.4.0

fortinetfortiosMatch6.4.1

VendorProductVersionCPE
fortinetfortiauthenticator*cpe:2.3:a:fortinet:fortiauthenticator:*:*:*:*:*:*:*:*
fortinetfortiauthenticator5.5.0cpe:2.3:a:fortinet:fortiauthenticator:5.5.0:*:*:*:*:*:*:*
fortinetfortiauthenticator6.1.0cpe:2.3:a:fortinet:fortiauthenticator:6.1.0:*:*:*:*:*:*:*
fortinetfortios*cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
fortinetfortios6.4.0cpe:2.3:o:fortinet:fortios:6.4.0:*:*:*:*:*:*:*
fortinetfortios6.4.1cpe:2.3:o:fortinet:fortios:6.4.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fortinet	fortiauthenticator	*	cpe:2.3:a:fortinet:fortiauthenticator::::::::
fortinet	fortiauthenticator	5.5.0	cpe:2.3:a:fortinet:fortiauthenticator:5.5.0:::::::*
fortinet	fortiauthenticator	6.1.0	cpe:2.3:a:fortinet:fortiauthenticator:6.1.0:::::::*
fortinet	fortios	*	cpe:2.3:o:fortinet:fortios::::::::
fortinet	fortios	6.4.0	cpe:2.3:o:fortinet:fortios:6.4.0:::::::*
fortinet	fortios	6.4.1	cpe:2.3:o:fortinet:fortios:6.4.1:::::::*

CNA Affected

[
  {
    "vendor": "Fortinet",
    "product": "FortiAuthenticator",
    "defaultStatus": "unaffected",
    "versions": [
      {
        "version": "6.1.0",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "6.0.0",
        "lessThanOrEqual": "6.0.4",
        "status": "affected"
      },
      {
        "version": "5.5.0",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Fortinet",
    "product": "FortiOS",
    "defaultStatus": "unaffected",
    "versions": [
      {
        "versionType": "semver",
        "version": "6.4.0",
        "lessThanOrEqual": "6.4.1",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "6.2.0",
        "lessThanOrEqual": "6.2.9",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "6.0.0",
        "lessThanOrEqual": "6.0.13",
        "status": "affected"
      }
    ]
  }
]

References

fortiguard.com/psirt/FG-IR-20-014

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U

AI Score

3.3

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for CVE-2022-22302