CVE-2022-42476 — Relative Path Traversal in Fortinet Fortios

CWE-23 — Relative Path Traversal CWE-22 — Path Traversal4 documents4 sources

Severity

8.2HIGHNVD

EPSS

0.1%

top 76.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios Fortinet Fortiproxy

Timeline

PublishedMar 7

Description

A relative path traversal vulnerability [CWE-23] in Fortinet FortiOS version 7.2.0 through 7.2.2, 7.0.0 through 7.0.8 and before 6.4.11, FortiProxy version 7.2.0 through 7.2.2 and 7.0.0 through 7.0.8 allows privileged VDOM administrators to escalate their privileges to super admin of the box via crafted CLI requests.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 1.5 | Impact: 6.0

Affected Packages4 packages

▶CVEListV5fortinet/fortios7.2.0 — 7.2.3+3

▶NVDfortinet/fortios6.2.0 — 6.2.12+3

▶CVEListV5fortinet/fortiproxy7.2.0 — 7.2.1+4

▶NVDfortinet/fortiproxy1.1.0 — 1.1.6+5

🔴Vulnerability Details

GHSA

GHSA-w4p8-qcm4-827w: A relative path traversal vulnerability [CWE-23] in Fortinet FortiOS version 7↗2023-03-07

▶

CVEList

CVE-2022-42476: A relative path traversal vulnerability [CWE-23] in Fortinet FortiOS version 7↗2023-03-07

▶

📋Vendor Advisories

Fortinet

FortiOS / FortiProxy - Path traversal vulnerability allows VDOM escaping↗2023-03-07

▶