cve-2022-27487
Vulnerability from cvelistv5
Published
2023-04-11 16:06
Modified
2024-08-03 05:32
Severity
Summary
A improper privilege management in Fortinet FortiSandbox version 4.2.0 through 4.2.2, 4.0.0 through 4.0.2 and before 3.2.3 and FortiDeceptor version 4.1.0, 4.0.0 through 4.0.2 and before 3.3.3 allows a remote authenticated attacker to perform unauthorized API calls via crafted HTTP or HTTPS requests.
References
Source | URL | Tags |
---|---|---|
psirt@fortinet.com | https://fortiguard.com/psirt/FG-IR-22-056 | Vendor Advisory |
Impacted products
Vendor | Product |
---|---|
Fortinet | FortiDeceptor |
Fortinet | FortiSandbox |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T05:32:57.807Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://fortiguard.com/psirt/FG-IR-22-056", "tags": [ "x_transferred" ], "url": "https://fortiguard.com/psirt/FG-IR-22-056" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "FortiDeceptor", "vendor": "Fortinet", "versions": [ { "status": "affected", "version": "4.1.0" }, { "lessThanOrEqual": "4.0.2", "status": "affected", "version": "4.0.0", "versionType": "semver" }, { "lessThanOrEqual": "3.3.3", "status": "affected", "version": "3.3.0", "versionType": "semver" }, { "lessThanOrEqual": "3.2.2", "status": "affected", "version": "3.2.0", "versionType": "semver" }, { "lessThanOrEqual": "3.1.1", "status": "affected", "version": "3.1.0", "versionType": "semver" }, { "lessThanOrEqual": "3.0.2", "status": "affected", "version": "3.0.0", "versionType": "semver" }, { "status": "affected", "version": "2.1.0" }, { "status": "affected", "version": "2.0.0" }, { "status": "affected", "version": "1.1.0" }, { "lessThanOrEqual": "1.0.1", "status": "affected", "version": "1.0.0", "versionType": "semver" } ] }, { "defaultStatus": "unaffected", "product": "FortiSandbox", "vendor": "Fortinet", "versions": [ { "lessThanOrEqual": "4.2.2", "status": "affected", "version": "4.2.0", "versionType": "semver" }, { "lessThanOrEqual": "4.0.2", "status": "affected", "version": "4.0.0", "versionType": "semver" }, { "lessThanOrEqual": "3.2.3", "status": "affected", "version": "3.2.0", "versionType": "semver" }, { "lessThanOrEqual": "3.1.5", "status": "affected", "version": "3.1.0", "versionType": "semver" }, { "lessThanOrEqual": "3.0.7", "status": "affected", "version": "3.0.0", "versionType": "semver" }, { "lessThanOrEqual": "2.5.2", "status": "affected", "version": "2.5.0", "versionType": "semver" } ] } ], "descriptions": [ { "lang": "en", "value": "A improper privilege management in Fortinet FortiSandbox version 4.2.0 through 4.2.2, 4.0.0 through 4.0.2 and before 3.2.3 and FortiDeceptor version 4.1.0, 4.0.0 through 4.0.2 and before 3.3.3 allows a remote authenticated attacker to perform unauthorized API calls via crafted HTTP or HTTPS requests." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-269", "description": "Execute unauthorized code or commands", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-04-11T16:06:58.797Z", "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet" }, "references": [ { "name": "https://fortiguard.com/psirt/FG-IR-22-056", "url": "https://fortiguard.com/psirt/FG-IR-22-056" } ], "solutions": [ { "lang": "en", "value": "Please upgrade to FortiDeceptor version 4.2.0 or above Please upgrade to FortiDeceptor version 4.1.1 or above Please upgrade to FortiDeceptor version 4.0.2 or above Please upgrade to FortiDeceptor version 3.3.3 or above Please upgrade to FortiSandbox version 4.2.3 or above Please upgrade to FortiSandbox version 4.0.3 or above Please upgrade to FortiSandbox version 3.2.4 or above " } ] } }, "cveMetadata": { "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "assignerShortName": "fortinet", "cveId": "CVE-2022-27487", "datePublished": "2023-04-11T16:06:58.797Z", "dateReserved": "2022-03-21T16:03:48.575Z", "dateUpdated": "2024-08-03T05:32:57.807Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2022-27487\",\"sourceIdentifier\":\"psirt@fortinet.com\",\"published\":\"2023-04-11T17:15:07.193\",\"lastModified\":\"2023-11-07T03:45:20.453\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"A improper privilege management in Fortinet FortiSandbox version 4.2.0 through 4.2.2, 4.0.0 through 4.0.2 and before 3.2.3 and FortiDeceptor version 4.1.0, 4.0.0 through 4.0.2 and before 3.3.3 allows a remote authenticated attacker to perform unauthorized API calls via crafted HTTP or HTTPS requests.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"psirt@fortinet.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]},{\"source\":\"psirt@fortinet.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fortinet:fortideceptor:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.0\",\"versionEndExcluding\":\"3.3.3\",\"matchCriteriaId\":\"39B4357A-55DD-498F-B4B2-68A77285612B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fortinet:fortideceptor:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndIncluding\":\"4.0.2\",\"matchCriteriaId\":\"16BF9690-3D39-4FCC-A314-68C17E1E0892\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fortinet:fortideceptor:4.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"48655ECC-C9A9-4AD9-993B-7B2965E9266F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.5.0\",\"versionEndExcluding\":\"3.2.4\",\"matchCriteriaId\":\"30C67A05-44FD-462B-BC47-2EAE11358063\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.0.3\",\"matchCriteriaId\":\"4AD1B101-4071-480C-AF8A-AE66FF92D589\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.2.0\",\"versionEndExcluding\":\"4.2.3\",\"matchCriteriaId\":\"4C401836-2D68-4CA3-8735-D9EC9DDB15F6\"}]}]}],\"references\":[{\"url\":\"https://fortiguard.com/psirt/FG-IR-22-056\",\"source\":\"psirt@fortinet.com\",\"tags\":[\"Vendor Advisory\"]}]}}" } }
Loading...