Lucene search

[email protected]CVE-2023-36638

HistorySep 13, 2023 - 1:15 p.m.

CVE-2023-36638

2023-09-1313:15:09

CWE-284

[email protected]

web.nvd.nist.gov

cve-2023-36638

security

vulnerability

fortimanager

fortianalyzer

api

cwe-269

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

4.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

14.2%

JSON

An improper privilege management vulnerability [CWE-269] in FortiManager 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions and FortiAnalyzer 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions API may allow a remote and authenticated API admin user to access some system settings such as the mail server settings through the API via a stolen GUI session ID.

Affected configurations

NVD

Node

fortinetfortianalyzerRange6.0.0–6.4.12

fortinetfortianalyzerRange7.0.0–7.0.8

fortinetfortianalyzerRange7.2.0–7.2.3

fortinetfortimanagerRange6.4.0–6.4.12

fortinetfortimanagerRange7.0.0–7.0.8

fortinetfortimanagerRange7.2.0–7.2.3

CPENameOperatorVersion
fortinet:fortianalyzerfortinet fortianalyzerlt6.4.12
fortinet:fortianalyzerfortinet fortianalyzerlt7.0.8
fortinet:fortianalyzerfortinet fortianalyzerlt7.2.3
fortinet:fortimanagerfortinet fortimanagerlt6.4.12
fortinet:fortimanagerfortinet fortimanagerlt7.0.8
fortinet:fortimanagerfortinet fortimanagerlt7.2.3

CPE	Name	Operator	Version
fortinet:fortianalyzer	fortinet fortianalyzer	lt	6.4.12
fortinet:fortianalyzer	fortinet fortianalyzer	lt	7.0.8
fortinet:fortianalyzer	fortinet fortianalyzer	lt	7.2.3
fortinet:fortimanager	fortinet fortimanager	lt	6.4.12
fortinet:fortimanager	fortinet fortimanager	lt	7.0.8
fortinet:fortimanager	fortinet fortimanager	lt	7.2.3

CNA Affected

[
  {
    "vendor": "Fortinet",
    "product": "FortiManager",
    "defaultStatus": "unaffected",
    "versions": [
      {
        "versionType": "semver",
        "version": "7.2.0",
        "lessThanOrEqual": "7.2.2",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "7.0.0",
        "lessThanOrEqual": "7.0.7",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "6.4.0",
        "lessThanOrEqual": "6.4.11",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "6.2.0",
        "lessThanOrEqual": "6.2.11",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "6.0.0",
        "lessThanOrEqual": "6.0.12",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Fortinet",
    "product": "FortiAnalyzer",
    "defaultStatus": "unaffected",
    "versions": [
      {
        "versionType": "semver",
        "version": "7.2.0",
        "lessThanOrEqual": "7.2.2",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "7.0.0",
        "lessThanOrEqual": "7.0.7",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "6.4.0",
        "lessThanOrEqual": "6.4.11",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "6.2.0",
        "lessThanOrEqual": "6.2.11",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "6.0.0",
        "lessThanOrEqual": "6.0.12",
        "status": "affected"
      }
    ]
  }
]

References

fortiguard.com/psirt/FG-IR-22-522

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

4.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

14.2%

JSON

Related for CVE-2023-36638

nvd1 prion1 cvelist1