CVE-2022-38377 — Improper Access Control in Fortinet Fortianalyzer

CWE-284 — Improper Access Control4 documents4 sources

Severity

2.7LOWNVD

CNA4.3

EPSS

0.2%

top 62.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortianalyzer Fortinet Fortimanager

Timeline

PublishedNov 25

Description

An improper access control vulnerability [CWE-284] in FortiManager 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11 and FortiAnalyzer 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.10, 6.0.0 through 6.0.12 may allow a remote and authenticated admin user assigned to a specific ADOM to access other ADOMs information such as device information and dashboard information.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages4 packages

▶CVEListV5fortinet/fortimanager7.0.0 — 7.0.3+4

▶NVDfortinet/fortimanager6.0.0 — 6.0.11+4

▶CVEListV5fortinet/fortianalyzer7.0.0 — 7.0.3+4

▶NVDfortinet/fortianalyzer6.0.0 — 6.0.12+4

Patches

Patch: fortiguard.com ↗Patch: fortiguard.com ↗

🔴Vulnerability Details

GHSA

GHSA-9f3q-2p9h-qmq9: An improper access control vulnerability [CWE-284] in FortiManager 7↗2022-11-25

▶

CVEList

CVE-2022-38377: An improper access control vulnerability [CWE-284] in FortiManager 7↗2022-11-25

▶

📋Vendor Advisories

Fortinet

Inter ADOM information leakage↗2022-11-25

▶