CVE-2022-23439

CWE-6104 documents4 sources

Severity

6.1MEDIUM

EPSS

0.2%

top 56.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios Fortinet Fortiadc Fortinet Fortiauthenticator +15 more

Timeline

PublishedJan 22

Description

A externally controlled reference to a resource in another sphere vulnerability in Fortinet allows attacker to poison web caches via crafted HTTP requests, where the `Host` header points to an arbitrary webserver

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 1.6 | Impact: 2.7

Affected Packages31 packages

▶CVEListV5fortinet/fortios6.4.0 — 6.4.*+5

▶NVDfortinet/fortios6.0.0 — 7.0.6+1

▶NVDfortinet/fortiadc5.4.0 — 6.2.4

▶NVDfortinet/fortindr1.4.0 — 7.1.1+1

▶NVDfortinet/fortiwlc8.6.0 — 8.6.7

🔴Vulnerability Details

GHSA

GHSA-xw2g-vg83-c99r: A externally controlled reference to a resource in another sphere in Fortinet FortiManager before version 7↗2025-01-22

▶

CVEList

CVE-2022-23439: A externally controlled reference to a resource in another sphere vulnerability in Fortinet allows attacker to poison web caches via crafted HTTP requ↗2025-01-22

▶

📋Vendor Advisories

Fortinet

`Host` header injection↗2025-01-22

▶

External resources

NVD MITRE

Affected products18

Fortinet Fortiadc≥ 5.4.0, < 6.2.4≥ 7.0.0, ≤ 7.0.1≥ 6.2.0, ≤ 6.2.3+7 more

Fortinet Fortianalyzer≥ 7.4.0, ≤ 7.4.2≥ 7.2.0, ≤ 7.2.11≥ 7.0.0, ≤ 7.0.15+2 more

Fortinet Fortiauthenticator≥ 6.3.0, < 6.3.4≥ 6.4.0, < 6.4.2≥ 6.4.0, ≤ 6.4.1+9 more

Fortinet Fortiddos≥ 5.3.0, < 5.5.2≥ 5.5.0, ≤ 5.5.1≥ 5.4.0, ≤ 5.4.3+7 more

Fortinet Fortiddos-f≥ 6.1.0, < 6.3.4≥ 6.3.0, ≤ 6.3.3≥ 6.2.0, ≤ 6.2.3+1 more

Fortinet Fortimail≥ 6.4.0, < 7.0.4≥ 7.0.0, ≤ 7.0.3≥ 6.4.0, ≤ 6.4.8+3 more

Fortinet Fortimanager≥ 7.4.0, ≤ 7.4.3≥ 7.2.0, ≤ 7.2.11≥ 7.0.0, ≤ 7.0.15+2 more

Fortinet Fortindr≥ 1.4.0, < 7.1.1≥ 7.0.0, ≤ 7.0.7≥ 1.5.0, ≤ 1.5.3+6 more

Fortinet Fortios≥ 6.4.0, < 6.4.*≥ 6.0.0, < 7.0.6≥ 7.2.0, < 7.2.5+5 more

Fortinet Fortiportal≥ 6.0.0, ≤ 6.0.9

Disclosure

PublishedJan 22, 2025