9.8
CVE-2022-40684
- EPSS 94.43%
- Veröffentlicht 18.10.2022 14:15:09
- Zuletzt bearbeitet 19.02.2025 19:37:18
- Quelle psirt@fortinet.com
- Teams Watchlist Login
- Unerledigt Login
An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Fortinet ≫ Fortiproxy Version >= 7.0.0 < 7.0.7
Fortinet ≫ Fortiproxy Version7.2.0
Fortinet ≫ Fortiswitchmanager Version7.0.0
Fortinet ≫ Fortiswitchmanager Version7.2.0
11.10.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog
Fortinet Multiple Products Authentication Bypass Vulnerability
SchwachstelleFortinet FortiOS, FortiProxy, and FortiSwitchManager contain an authentication bypass vulnerability that could allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
BeschreibungApply updates per vendor instructions.
Erforderliche Maßnahmen10.10.2022: CERT.at Warnung
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 94.43% | 1 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| psirt@fortinet.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.