Lucene search

FortinetCVE-2023-23776

HistoryMar 07, 2023 - 5:15 p.m.

CVE-2023-23776

2023-03-0717:15:12

CWE-312

CWE-200

fortinet

web.nvd.nist.gov

cve-2023-23776

sensitive information exposure

vulnerability

fortianalyzer

cwe-200

nvd

CVSS3

4.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

AI Score

3.7

Confidence

High

EPSS

0.001

Percentile

35.9%

JSON

An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in FortiAnalyzer versions 7.2.0 through 7.2.1, 7.0.0 through 7.0.4 and 6.4.0 through 6.4.10 may allow a remote authenticated attacker to read the client machine password in plain text in a heartbeat response when a log-fetch request is made from the FortiAnalyzer

Affected configurations

Nvd

Node

fortinetfortianalyzerRange6.4.0–6.4.11

fortinetfortianalyzerRange7.0.0–7.0.5

fortinetfortianalyzerRange7.2.0–7.2.2

VendorProductVersionCPE
fortinetfortianalyzer*cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fortinet	fortianalyzer	*	cpe:2.3:a:fortinet:fortianalyzer::::::::

CNA Affected

[
  {
    "vendor": "Fortinet",
    "product": "FortiAnalyzer",
    "defaultStatus": "unaffected",
    "versions": [
      {
        "versionType": "semver",
        "version": "7.2.0",
        "lessThanOrEqual": "7.2.1",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "7.0.0",
        "lessThanOrEqual": "7.0.4",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "6.4.0",
        "lessThanOrEqual": "6.4.10",
        "status": "affected"
      }
    ]
  }
]

References

fortiguard.com/psirt/FG-IR-22-447