gsd-2023-41673
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
An improper authorization vulnerability [CWE-285] in Fortinet FortiADC version 7.4.0 and before 7.2.2 may allow a low privileged user to read or backup the full system configuration via HTTP or HTTPS requests.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-41673",
"id": "GSD-2023-41673"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-41673"
],
"details": "An improper authorization vulnerability [CWE-285] in Fortinet FortiADC version 7.4.0 and before 7.2.2 may allow a low privileged user to read or backup the full system configuration via HTTP or HTTPS requests.",
"id": "GSD-2023-41673",
"modified": "2023-12-13T01:20:45.312516Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "psirt@fortinet.com",
"ID": "CVE-2023-41673",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "FortiADC",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "7.4.0"
},
{
"version_affected": "\u003c=",
"version_name": "7.2.0",
"version_value": "7.2.2"
},
{
"version_affected": "\u003c=",
"version_name": "7.1.0",
"version_value": "7.1.4"
},
{
"version_affected": "\u003c=",
"version_name": "7.0.0",
"version_value": "7.0.5"
},
{
"version_affected": "\u003c=",
"version_name": "6.2.0",
"version_value": "6.2.6"
},
{
"version_affected": "\u003c=",
"version_name": "6.1.0",
"version_value": "6.1.6"
},
{
"version_affected": "\u003c=",
"version_name": "6.0.0",
"version_value": "6.0.4"
}
]
}
}
]
},
"vendor_name": "Fortinet"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An improper authorization vulnerability [CWE-285] in Fortinet FortiADC version 7.4.0 and before 7.2.2 may allow a low privileged user to read or backup the full system configuration via HTTP or HTTPS requests."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N/E:F/RL:X/RC:C",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-285",
"lang": "eng",
"value": "Information disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fortiguard.com/psirt/FG-IR-23-270",
"refsource": "MISC",
"url": "https://fortiguard.com/psirt/FG-IR-23-270"
}
]
},
"solution": [
{
"lang": "en",
"value": "Please upgrade to FortiADC version 7.4.1 or above \nPlease upgrade to FortiADC version 7.2.3 or above \n"
}
]
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fortinet:fortiadc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3ADB57D8-1ABE-4401-B1B0-4640A34C555A",
"versionEndIncluding": "6.0.4",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortiadc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D31CF79E-6C56-4CD0-9DD2-FBB48D503786",
"versionEndIncluding": "6.1.6",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortiadc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F5275C5C-B6FD-4456-B143-ECDD282150C4",
"versionEndIncluding": "6.2.6",
"versionStartIncluding": "6.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortiadc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "302D8FF0-69B6-451A-9B5B-E28B2FAA30D8",
"versionEndIncluding": "7.0.5",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortiadc:7.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B35D8D53-448B-474C-B7CB-324CB4ED7A82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortiadc:7.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "933701AE-43E3-4260-973B-4EA09C375965",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortiadc:7.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7F3029D7-4C37-4468-9CCD-45C7259EFF2C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortiadc:7.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "74B0A112-AA30-4D11-8F36-3DC8A2EBCA16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortiadc:7.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7C624CB5-F745-4781-839A-B397EC97590B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An improper authorization vulnerability [CWE-285] in Fortinet FortiADC version 7.4.0 and before 7.2.2 may allow a low privileged user to read or backup the full system configuration via HTTP or HTTPS requests."
},
{
"lang": "es",
"value": "Una vulnerabilidad de autorizaci\u00f3n inadecuada [CWE-285] en Fortinet FortiADC versi\u00f3n 7.4.0 y anteriores a 7.2.2 puede permitir que un usuario con pocos privilegios lea o haga una copia de seguridad de la configuraci\u00f3n completa del sistema a trav\u00e9s de solicitudes HTTP o HTTPS."
}
],
"id": "CVE-2023-41673",
"lastModified": "2023-12-15T19:10:46.137",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "psirt@fortinet.com",
"type": "Secondary"
}
]
},
"published": "2023-12-13T07:15:15.860",
"references": [
{
"source": "psirt@fortinet.com",
"tags": [
"Vendor Advisory"
],
"url": "https://fortiguard.com/psirt/FG-IR-23-270"
}
],
"sourceIdentifier": "psirt@fortinet.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "psirt@fortinet.com",
"type": "Primary"
}
]
}
}
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.