CVE-2022-38377 - Vulnerability Details - OpenCVE

An improper access control vulnerability [CWE-284] in FortiManager 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11 and FortiAnalyzer 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.10, 6.0.0 through 6.0.12 may allow a remote and authenticated admin user assigned to a specific ADOM to access other ADOMs information such as device information and dashboard information.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Fortinet	Fortianalyzer Fortimanager

Configuration 1 [-]

OR	cpe:2.3:a:fortinet:fortianalyzer::::::::
	cpe:2.3:a:fortinet:fortianalyzer::::::::
	cpe:2.3:a:fortinet:fortianalyzer::::::::
	cpe:2.3:a:fortinet:fortianalyzer::::::::
	cpe:2.3:a:fortinet:fortianalyzer:7.2.0:::::::*
	cpe:2.3:a:fortinet:fortimanager::::::::
	cpe:2.3:a:fortinet:fortimanager::::::::
	cpe:2.3:a:fortinet:fortimanager::::::::
	cpe:2.3:a:fortinet:fortimanager::::::::
	cpe:2.3:a:fortinet:fortimanager:7.2.0:::::::*

No data.

References

Link	Providers
https://fortiguard.com/psirt/FG-IR-20-143

History

Tue, 22 Oct 2024 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2022-11-25T15:47:41.422Z

Updated: 2024-10-22T20:52:08.654Z

Reserved: 2022-08-16T14:17:48.479Z

Link: CVE-2022-38377

Vulnrichment

Updated: 2024-08-03T10:54:03.674Z

NVD

Status : Modified

Published: 2022-11-25T16:15:10.747

Modified: 2024-11-21T07:16:21.223

Link: CVE-2022-38377

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-38377", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "requesterUserId": "a0475cc0-be89-4a25-97b3-d1b8023a8677", "dateReserved": "2022-08-16T14:17:48.479Z", "datePublished": "2022-11-25T15:47:41.422Z", "dateUpdated": "2024-10-22T20:52:08.654Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiManager", "defaultStatus": "unaffected", "versions": [{"version": "7.2.0", "status": "affected"}, {"versionType": "semver", "version": "7.0.0", "lessThanOrEqual": "7.0.3", "status": "affected"}, {"versionType": "semver", "version": "6.4.0", "lessThanOrEqual": "6.4.8", "status": "affected"}, {"versionType": "semver", "version": "6.2.0", "lessThanOrEqual": "6.2.9", "status": "affected"}, {"versionType": "semver", "version": "6.0.0", "lessThanOrEqual": "6.0.11", "status": "affected"}]}, {"vendor": "Fortinet", "product": "FortiAnalyzer", "defaultStatus": "unaffected", "versions": [{"version": "7.2.0", "status": "affected"}, {"versionType": "semver", "version": "7.0.0", "lessThanOrEqual": "7.0.3", "status": "affected"}, {"versionType": "semver", "version": "6.4.0", "lessThanOrEqual": "6.4.8", "status": "affected"}, {"versionType": "semver", "version": "6.2.0", "lessThanOrEqual": "6.2.9", "status": "affected"}, {"versionType": "semver", "version": "6.0.0", "lessThanOrEqual": "6.0.11", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "An improper access control vulnerability [CWE-284] in FortiManager 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11 and FortiAnalyzer 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.10, 6.0.0 through 6.0.12 may allow a remote and authenticated admin user assigned to a specific ADOM to access other ADOMs information such as device information and dashboard information."}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2022-11-25T15:47:41.422Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-284", "description": "Improper access control", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:U/RC:C"}}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiManager version 7.2.1 or above\r\nPlease upgrade to FortiManager version 7.0.4 or above\r\nPlease upgrade to FortiManager version 6.4.8 or above\n\r\nPlease upgrade to FortiAnalyzer version 7.2.1 or above\r\nPlease upgrade to\u00a0FortiAnalyzer version 7.0.4 or above\r\nPlease upgrade to\u00a0FortiAnalyzer version 6.4.9 or above"}], "references": [{"name": "https://fortiguard.com/psirt/FG-IR-20-143", "url": "https://fortiguard.com/psirt/FG-IR-20-143"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:54:03.674Z"}, "title": "CVE Program Container", "references": [{"name": "https://fortiguard.com/psirt/FG-IR-20-143", "url": "https://fortiguard.com/psirt/FG-IR-20-143", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-22T20:18:55.318018Z", "id": "CVE-2022-38377", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T20:52:08.654Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-38377", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "requesterUserId": "a0475cc0-be89-4a25-97b3-d1b8023a8677", "dateReserved": "2022-08-16T14:17:48.479Z", "datePublished": "2022-11-25T15:47:41.422Z", "dateUpdated": "2024-10-22T20:52:08.654Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiManager", "defaultStatus": "unaffected", "versions": [{"version": "7.2.0", "status": "affected"}, {"versionType": "semver", "version": "7.0.0", "lessThanOrEqual": "7.0.3", "status": "affected"}, {"versionType": "semver", "version": "6.4.0", "lessThanOrEqual": "6.4.8", "status": "affected"}, {"versionType": "semver", "version": "6.2.0", "lessThanOrEqual": "6.2.9", "status": "affected"}, {"versionType": "semver", "version": "6.0.0", "lessThanOrEqual": "6.0.11", "status": "affected"}]}, {"vendor": "Fortinet", "product": "FortiAnalyzer", "defaultStatus": "unaffected", "versions": [{"version": "7.2.0", "status": "affected"}, {"versionType": "semver", "version": "7.0.0", "lessThanOrEqual": "7.0.3", "status": "affected"}, {"versionType": "semver", "version": "6.4.0", "lessThanOrEqual": "6.4.8", "status": "affected"}, {"versionType": "semver", "version": "6.2.0", "lessThanOrEqual": "6.2.9", "status": "affected"}, {"versionType": "semver", "version": "6.0.0", "lessThanOrEqual": "6.0.11", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "An improper access control vulnerability [CWE-284] in FortiManager 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11 and FortiAnalyzer 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.10, 6.0.0 through 6.0.12 may allow a remote and authenticated admin user assigned to a specific ADOM to access other ADOMs information such as device information and dashboard information."}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2022-11-25T15:47:41.422Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-284", "description": "Improper access control", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:U/RC:C"}}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiManager version 7.2.1 or above\r\nPlease upgrade to FortiManager version 7.0.4 or above\r\nPlease upgrade to FortiManager version 6.4.8 or above\n\r\nPlease upgrade to FortiAnalyzer version 7.2.1 or above\r\nPlease upgrade to\u00a0FortiAnalyzer version 7.0.4 or above\r\nPlease upgrade to\u00a0FortiAnalyzer version 6.4.9 or above"}], "references": [{"name": "https://fortiguard.com/psirt/FG-IR-20-143", "url": "https://fortiguard.com/psirt/FG-IR-20-143"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:54:03.674Z"}, "title": "CVE Program Container", "references": [{"name": "https://fortiguard.com/psirt/FG-IR-20-143", "url": "https://fortiguard.com/psirt/FG-IR-20-143", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-38377", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-22T20:18:55.318018Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T20:21:11.935Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "matchCriteriaId": "2318A6AC-AA3E-4604-968C-35A46E79FCB8", "versionEndIncluding": "6.0.12", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "matchCriteriaId": "5E816164-8C08-4BF7-863B-112076AB6AE2", "versionEndIncluding": "6.2.10", "versionStartIncluding": "6.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "matchCriteriaId": "19769C95-B563-476D-A4B3-6C317294F1E9", "versionEndIncluding": "6.4.8", "versionStartIncluding": "6.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "matchCriteriaId": "42D096D2-1FCB-43A6-8CF3-3226F631BAC4", "versionEndIncluding": "7.0.3", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortianalyzer:7.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "319D2F9D-E1E5-49C7-8ABD-0A64D7B05D58", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD729EF3-1665-4CE7-9FDD-450D5F79A2B9", "versionEndIncluding": "6.0.11", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "matchCriteriaId": "7D79F4BE-B6BB-414A-A132-D3650B2B5B4F", "versionEndIncluding": "6.2.9", "versionStartIncluding": "6.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "matchCriteriaId": "105F23CF-6375-402E-A2ED-9827510196EA", "versionEndIncluding": "6.4.7", "versionStartIncluding": "6.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA4F8D67-139F-4524-88D4-B32A1580BFBE", "versionEndIncluding": "7.0.3", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortimanager:7.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "407755AA-0C23-4C5B-88A2-8BC12A3D268D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An improper access control vulnerability [CWE-284] in FortiManager 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11 and FortiAnalyzer 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.10, 6.0.0 through 6.0.12 may allow a remote and authenticated admin user assigned to a specific ADOM to access other ADOMs information such as device information and dashboard information."}, {"lang": "es", "value": "Una vulnerabilidad de control de acceso inadecuado [CWE-284] en FortiManager 7.2.0, 7.0.0 a 7.0.3, 6.4.0 a 6.4.7, 6.2.0 a 6.2.9, 6.0.0 a 6.0.11 y FortiAnalyzer 7.2 .0, 7.0.0 a 7.0.3, 6.4.0 a 6.4.8, 6.2.0 a 6.2.10, 6.0.0 a 6.0.12 pueden permitir que un usuario administrador remoto y autenticado asignado a un ADOM espec\u00edfico acceda a otros ADOM de informaci\u00f3n, como informaci\u00f3n del dispositivo e informaci\u00f3n del panel."}], "id": "CVE-2022-38377", "lastModified": "2024-11-21T07:16:21.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "psirt@fortinet.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-25T16:15:10.747", "references": [{"source": "psirt@fortinet.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-20-143"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-20-143"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "psirt@fortinet.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}