CVE-2022-30305 — Insufficient Logging in Fortinet Fortideceptor

CWE-778 — Insufficient Logging CWE-307 — Improper Restriction of Excessive Authentication Attempts4 documents4 sources

Severity

7.5HIGHNVD

CNA3.7

EPSS

0.2%

top 55.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortideceptor Fortinet Fortisandbox

Timeline

PublishedDec 6

Description

An insufficient logging [CWE-778] vulnerability in FortiSandbox versions 4.0.0 to 4.0.2, 3.2.0 to 3.2.3 and 3.1.0 to 3.1.5 and FortiDeceptor versions 4.2.0, 4.1.0 through 4.1.1, 4.0.0 through 4.0.2, 3.3.0 through 3.3.3, 3.2.0 through 3.2.2,3.1.0 through 3.1.1 and 3.0.0 through 3.0.2 may allow a remote attacker to repeatedly enter incorrect credentials without causing a log entry, and with no limit on the number of failed authentication attempts.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5fortinet/fortisandbox3.2.0 — 3.2.3+2

▶NVDfortinet/fortisandbox3.1.0 — 3.1.5+5

▶CVEListV5fortinet/fortideceptor4.1.0 — 4.1.1+6

▶NVDfortinet/fortideceptor3.0.0 — 3.0.2+8

Patches

Patch: fortiguard.com ↗Patch: fortiguard.com ↗

🔴Vulnerability Details

GHSA

GHSA-486j-wqfq-g6vq: An insufficient logging [CWE-778] vulnerability in FortiSandbox versions 4↗2022-12-06

▶

CVEList

CVE-2022-30305: An insufficient logging [CWE-778] vulnerability in FortiSandbox versions 4↗2022-12-06

▶

📋Vendor Advisories

Fortinet

An insufficient logging [CWE-778] vulnerability in FortiSandbox versions 4.0.0 to 4.0.2, 3.2.0 to 3.2.3 and 3.1.0 to 3.1...↗2022-12-06

▶