CVE-2022-22302 — Cleartext Storage of Sensitive Info in Fortinet Fortiauthenticator

CWE-312 — Cleartext Storage of Sensitive Info4 documents4 sources

Severity

3.3LOWNVD

CNA5.3

EPSS

0.1%

top 74.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortiauthenticator Fortinet Fortios

Timeline

PublishedJul 11

Description

A clear text storage of sensitive information (CWE-312) vulnerability in both FortiGate version 6.4.0 through 6.4.1, 6.2.0 through 6.2.9 and 6.0.0 through 6.0.13 and FortiAuthenticator version 5.5.0 and all versions of 6.1 and 6.0 may allow a local unauthorized party to retrieve the Fortinet private keys used to establish secure communication with both Apple Push Notification and Google Cloud Messaging services, via accessing the files on the filesystem.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages4 packages

▶CVEListV5fortinet/fortiauthenticator6.0.0 — 6.0.4+2

▶NVDfortinet/fortiauthenticator6.0.0 — 6.0.4+2

▶CVEListV5fortinet/fortios6.4.0 — 6.4.1+2

▶NVDfortinet/fortios6.0.0 — 6.0.13+3

🔴Vulnerability Details

CVEList

CVE-2022-22302: A clear text storage of sensitive information (CWE-312) vulnerability in both FortiGate version 6↗2023-07-11

▶

GHSA

GHSA-vcgf-cp2m-h8gw: A clear text storage of sensitive information (CWE-312) vulnerability in both FortiGate version 6↗2023-07-11

▶

📋Vendor Advisories

Fortinet

A clear text storage of sensitive information (CWE-312) vulnerability in both FortiGate version 6.4.0 through 6.4.1, 6.2...↗2023-07-11

▶