CVE-2022-38380Improper Access Control in Fortinet Fortios

CWE-284Improper Access Control4 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 57.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Fortinet FortiosFortinet Fortios
Timeline
PublishedNov 2

Description

An improper access control [CWE-284] vulnerability in FortiOS version 7.2.0 and versions 7.0.0 through 7.0.7 may allow a remote authenticated read-only user to modify the interface settings via the API.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDfortinet/fortios7.0.07.0.7+1
CVEListV5fortinet/fortinet_fortiosFortiOS 7.2.0, 7.0.7, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0

🔴Vulnerability Details

2
CVEList
CVE-2022-38380: An improper access control [CWE-284] vulnerability in FortiOS version 72022-11-02
GHSA
GHSA-gw2f-rjqq-h4j9: An improper access control [CWE-284] vulnerability in FortiOS version 72022-11-02

📋Vendor Advisories

1
Fortinet
Read-Only users able to add/modify the Interface fields using the API2022-11-02
CVE-2022-38380 — Improper Access Control in Fortinet | cvebase