CVE-2022-45857

2023-01-0508:15:08

CWE-286

[email protected]

web.nvd.nist.gov

cve-2022-45857

cwe-286

fortimanager

vdom

vulnerability

user management

access control

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

33.4%

JSON

An incorrect user management vulnerability [CWE-286] in the FortiManager version 6.4.6 and below VDOM creation component may allow an attacker to access a FortiGate without a password via newly created VDOMs after the super_admin account is deleted.

Affected configurations

NVD

Node

fortinetfortimanagerRange6.2.0–6.2.9

fortinetfortimanagerRange6.4.0–6.4.8

fortinetfortimanagerRange7.0.0–7.0.2

CPENameOperatorVersion
fortinet:fortimanagerfortinet fortimanagerlt6.2.9
fortinet:fortimanagerfortinet fortimanagerlt6.4.8
fortinet:fortimanagerfortinet fortimanagerlt7.0.2

CPE	Name	Operator	Version
fortinet:fortimanager	fortinet fortimanager	lt	6.2.9
fortinet:fortimanager	fortinet fortimanager	lt	6.4.8
fortinet:fortimanager	fortinet fortimanager	lt	7.0.2

CNA Affected

[
  {
    "vendor": "Fortinet",
    "product": "FortiManager",
    "defaultStatus": "unaffected",
    "versions": [
      {
        "versionType": "semver",
        "version": "7.0.0",
        "lessThanOrEqual": "7.0.1",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "6.4.0",
        "lessThanOrEqual": "6.4.7",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "6.2.0",
        "lessThanOrEqual": "6.2.8",
        "status": "affected"
      }
    ]
  }
]