CVE-2022-27487

2023-04-1117:15:07

CWE-269

[email protected]

web.nvd.nist.gov

fortinet

fortisandbox

fortideceptor

privilege management

remote attacker

unauthorized api calls

http

https

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.4

Confidence

High

EPSS

0.002

Percentile

54.9%

JSON

A improper privilege management in Fortinet FortiSandbox version 4.2.0 through 4.2.2, 4.0.0 through 4.0.2 and before 3.2.3 and FortiDeceptor version 4.1.0, 4.0.0 through 4.0.2 and before 3.3.3 allows a remote authenticated attacker to perform unauthorized API calls via crafted HTTP or HTTPS requests.

Affected configurations

Nvd

Node

fortinetfortideceptorRange1.0–3.3.3

fortinetfortideceptorRange4.0.0–4.0.2

fortinetfortideceptorMatch4.1.0

fortinetfortisandboxRange2.5.0–3.2.4

fortinetfortisandboxRange4.0.0–4.0.3

fortinetfortisandboxRange4.2.0–4.2.3

VendorProductVersionCPE
fortinetfortideceptor*cpe:2.3:a:fortinet:fortideceptor:*:*:*:*:*:*:*:*
fortinetfortideceptor4.1.0cpe:2.3:a:fortinet:fortideceptor:4.1.0:*:*:*:*:*:*:*
fortinetfortisandbox*cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fortinet	fortideceptor	*	cpe:2.3:a:fortinet:fortideceptor::::::::
fortinet	fortideceptor	4.1.0	cpe:2.3:a:fortinet:fortideceptor:4.1.0:::::::*
fortinet	fortisandbox	*	cpe:2.3:a:fortinet:fortisandbox::::::::