CVE-2022-38378 — Improper Privilege Management in Fortinet Fortios

CWE-269 — Improper Privilege Management4 documents4 sources

Severity

6.0MEDIUMNVD

CNA4.2

EPSS

0.1%

top 70.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios Fortinet Fortiproxy

Timeline

PublishedFeb 16

Description

An improper privilege management vulnerability [CWE-269] in Fortinet FortiOS version 7.2.0 and before 7.0.7 and FortiProxy version 7.2.0 through 7.2.1 and before 7.0.7 allows an attacker that has access to the admin profile section (System subsection Administrator Users) to modify their own profile and upgrade their privileges to Read Write via CLI or GUI commands.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NExploitability: 0.8 | Impact: 5.2

Affected Packages4 packages

▶NVDfortinet/fortios6.0.0 — 7.0.8+1

▶NVDfortinet/fortiproxy7.0.0 — 7.0.8+2

▶CVEListV5fortinet/fortios7.0.0 — 7.0.7+4

▶CVEListV5fortinet/fortiproxy7.2.0 — 7.2.1+4

🔴Vulnerability Details

GHSA

GHSA-h5fc-q8mj-rvq7: An improper privilege management vulnerability [CWE-269] in Fortinet FortiOS version 7↗2023-02-16

▶

CVEList

CVE-2022-38378: An improper privilege management vulnerability [CWE-269] in Fortinet FortiOS version 7↗2023-02-16

▶

📋Vendor Advisories

Fortinet

Ability to modify privileges from Custom to Read-Write↗2023-02-16

▶