5.4

CVE-2022-22305

An improper certificate validation vulnerability [CWE-295] in FortiManager 7.0.1 and below, 6.4.6 and below; FortiAnalyzer 7.0.2 and below, 6.4.7 and below; FortiOS 6.2.x and 6.0.x; FortiSandbox 4.0.x, 3.2.x and 3.1.x may allow a network adjacent and unauthenticated attacker to man-in-the-middle the communication between the listed products and some external peers.

Data is provided by the National Vulnerability Database (NVD)
FortinetFortianalyzer Version >= 6.0.0 <= 6.0.12
FortinetFortianalyzer Version >= 6.2.9 <= 6.4.7
FortinetFortianalyzer Version7.0.0
FortinetFortianalyzer Version7.0.1
FortinetFortianalyzer Version7.0.2
FortinetFortimanager Version >= 6.0.0 <= 6.0.12
FortinetFortimanager Version >= 6.2.0 <= 6.2.11
FortinetFortimanager Version >= 6.4.0 <= 6.4.6
FortinetFortimanager Version7.0.0
FortinetFortimanager Version7.0.1
FortinetFortisandbox Version >= 3.0.0 <= 3.0.7
FortinetFortisandbox Version >= 3.1.0 <= 3.1.5
FortinetFortisandbox Version >= 3.2.0 <= 3.2.4
FortinetFortisandbox Version3.0.1
FortinetFortisandbox Version4.0.0
FortinetFortisandbox Version4.0.1
FortinetFortisandbox Version4.0.2
FortinetFortios Version >= 5.6.10 <= 5.6.14
FortinetFortios Version >= 6.0.0 <= 6.0.17
FortinetFortios Version >= 6.2.0 <= 6.2.15
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.07% 0.183
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 4.2 1.6 2.5
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
psirt@fortinet.com 5.4 2.8 2.5
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

CWE-297 Improper Validation of Certificate with Host Mismatch

The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.