CVE-2022-22299 — Use of Externally-Controlled Format String in Fortinet Fortios

CWE-134 — Use of Externally-Controlled Format String4 documents4 sources

Severity

7.8HIGHNVD

EPSS

0.2%

top 58.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios Fortinet Fortiadc Fortinet Fortimail +1 more

Timeline

PublishedAug 5

Latest updateAug 6

Description

A format string vulnerability [CWE-134] in the command line interpreter of FortiADC version 6.0.0 through 6.0.4, FortiADC version 6.1.0 through 6.1.5, FortiADC version 6.2.0 through 6.2.1, FortiProxy version 1.0.0 through 1.0.7, FortiProxy version 1.1.0 through 1.1.6, FortiProxy version 1.2.0 through 1.2.13, FortiProxy version 2.0.0 through 2.0.7, FortiProxy version 7.0.0 through 7.0.1, FortiOS version 6.0.0 through 6.0.14, FortiOS version 6.2.0 through 6.2.10, FortiOS version 6.4.0 through 6.4.…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶NVDfortinet/fortiproxy1.0.0 — 1.0.7+5

▶NVDfortinet/fortios6.4.0 — 6.4.8+7

▶NVDfortinet/fortiadc6.0.0 — 6.0.4+3

▶NVDfortinet/fortimail6.4.0 — 6.4.5+1

Patches

Patch: fortiguard.com ↗Patch: fortiguard.com ↗

🔴Vulnerability Details

GHSA

GHSA-5hfc-mjwc-89xw: A format string vulnerability [CWE-134] in the command line interpreter of FortiADC version 6↗2022-08-06

▶

CVEList

CVE-2022-22299: A format string vulnerability [CWE-134] in the command line interpreter of FortiADC version 6↗2022-08-05

▶

📋Vendor Advisories

Fortinet

A format string vulnerability [CWE-134] in the command line interpreter of FortiADC version 6.0.0 through 6.0.4, FortiAD...↗2022-08-05

▶