CVE-2023-47537

2024-02-1514:15:45

CWE-295

[email protected]

web.nvd.nist.gov

fortinet

fortios

certificate validation vulnerability

man-in-the-middle

fortilink

fortiswitch

remote attack

unauthenticated attacker

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

17.0%

JSON

An improper certificate validation vulnerability in Fortinet FortiOS 7.0.0 - 7.0.13, 7.2.0 - 7.2.6, 7.4.0 - 7.4.1 and 6.4 all versions allows a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the FortiLink communication channel between the FortiOS device and FortiSwitch.

Affected configurations

Nvd

Node

fortinetfortiosRange7.0.0–7.0.14

fortinetfortiosRange7.2.0–7.2.6

fortinetfortiosMatch7.4.0

fortinetfortiosMatch7.4.1

VendorProductVersionCPE
fortinetfortios*cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
fortinetfortios7.4.0cpe:2.3:o:fortinet:fortios:7.4.0:*:*:*:*:*:*:*
fortinetfortios7.4.1cpe:2.3:o:fortinet:fortios:7.4.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fortinet	fortios	*	cpe:2.3:o:fortinet:fortios::::::::
fortinet	fortios	7.4.0	cpe:2.3:o:fortinet:fortios:7.4.0:::::::*
fortinet	fortios	7.4.1	cpe:2.3:o:fortinet:fortios:7.4.1:::::::*