CVE-2022-45861 — Access of Uninitialized Pointer in Fortinet Fortios

CWE-824 — Access of Uninitialized Pointer4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.7%

top 26.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios Fortinet Fortiproxy

Timeline

PublishedMar 7

Description

An access of uninitialized pointer vulnerability [CWE-824] in the SSL VPN portal of Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.9 and before 6.4.11 and FortiProxy version 7.2.0 through 7.2.1, version 7.0.0 through 7.0.7 and before 2.0.11 allows a remote authenticated attacker to crash the sslvpn daemon via an HTTP GET request.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5fortinet/fortios7.2.0 — 7.2.3+3

▶NVDfortinet/fortios6.2.0 — 6.2.13+3

▶CVEListV5fortinet/fortiproxy7.2.0 — 7.2.1+4

▶NVDfortinet/fortiproxy1.2.0 — 1.2.13+6

🔴Vulnerability Details

GHSA

GHSA-whjf-x8mc-6gr3: An access of uninitialized pointer vulnerability [CWE-824] in the SSL VPN portal of Fortinet FortiOS version 7↗2023-03-07

▶

CVEList

CVE-2022-45861: An access of uninitialized pointer vulnerability [CWE-824] in the SSL VPN portal of Fortinet FortiOS version 7↗2023-03-07

▶

📋Vendor Advisories

Fortinet

Access of NULL pointer in SSLVPNd↗2023-03-07

▶