CVE-2018-9867 — Improper Authorization in Sonicos

CWE-285 — Improper Authorization CWE-732 — Incorrect Permission Assignment3 documents3 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 94.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sonicwall Sonicos Sonicwall Sonicosv

Timeline

PublishedFeb 19

Latest updateMay 13

Description

In SonicWall SonicOS, administrators without full permissions can download imported certificates. Occurs when administrators who are not in the SonicWall Administrators user group attempt to download imported certificates. This vulnerability affected SonicOS Gen 5 version 5.9.1.10 and earlier, Gen 6 version 6.2.7.3, 6.5.1.3, 6.5.2.2, 6.5.3.1, 6.2.7.8, 6.4.0.0, 6.5.1.8, 6.0.5.3-86o and SonicOSv 6.5.0.2-8v_RC363 (VMWARE), 6.5.0.2.8v_RC367 (AZURE), SonicOSv 6.5.0.2.8v_RC368 (AWS), SonicOSv 6.5.0.2.…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5sonicwall/sonicosv4 versions+3

▶NVDsonicwall/sonicosv4 versions+3

▶NVDsonicwall/sonicos5.0.0.0 — 5.9.1.10+8

▶CVEListV5sonicwall/sonicos9 versions+8

🔴Vulnerability Details

GHSA

GHSA-49vw-7j46-x482: In SonicWall SonicOS, administrators without full permissions can download imported certificates↗2022-05-13

▶

CVEList

CVE-2018-9867: In SonicWall SonicOS, administrators without full permissions can download imported certificates↗2019-02-19

▶