CVE-2023-45586 — Insufficient Verification of Data Authenticity in Fortinet Fortios

CWE-345 — Insufficient Verification of Data Authenticity4 documents4 sources

Severity

5.0MEDIUMNVD

EPSS

0.2%

top 55.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios Fortinet Fortiproxy

Timeline

PublishedMay 14

Description

An insufficient verification of data authenticity vulnerability [CWE-345] in Fortinet FortiOS SSL-VPN tunnel mode version 7.4.0 through 7.4.1, version 7.2.0 through 7.2.7 and before 7.0.12 & FortiProxy SSL-VPN tunnel mode version 7.4.0 through 7.4.1, version 7.2.0 through 7.2.7 and before 7.0.13 allows an authenticated VPN user to send (but not receive) packets spoofing the IP of another user via crafted network packets.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:NExploitability: 3.1 | Impact: 1.4

Affected Packages4 packages

▶NVDfortinet/fortios7.0.0 — 7.0.13+5

▶NVDfortinet/fortiproxy7.0.0 — 7.0.14+4

▶CVEListV5fortinet/fortios7.4.0 — 7.4.1+4

▶CVEListV5fortinet/fortiproxy7.4.0 — 7.4.1+3

🔴Vulnerability Details

CVEList

CVE-2023-45586: An insufficient verification of data authenticity vulnerability [CWE-345] in Fortinet FortiOS SSL-VPN tunnel mode version 7↗2024-05-14

▶

GHSA

GHSA-74qh-m79m-w8r7: An insufficient verification of data authenticity vulnerability [CWE-345] in Fortinet FortiOS SSL-VPN tunnel mode version 7↗2024-05-14

▶

📋Vendor Advisories

Fortinet

SSL-VPN user IP spoofing↗2024-05-14

▶