CVE-2022-23447

Summary

An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiExtender management interface 7.0.0 through 7.0.3, 4.2.0 through 4.2.4, 4.1.1 through 4.1.8, 4.0.0 through 4.0.2, 3.3.0 through 3.3.2, 3.2.1 through 3.2.3, 5.3 all versions may allow an unauthenticated and remote attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiExtender7.0.0 <= 7.0.3affected
FortinetFortiExtender5.3.2affected
FortinetFortiExtender4.2.0 <= 4.2.4affected
FortinetFortiExtender4.1.1 <= 4.1.8affected
FortinetFortiExtender4.0.0 <= 4.0.2affected
FortinetFortiExtender3.3.0 <= 3.3.2affected
FortinetFortiExtender3.2.1 <= 3.2.3affected

Weaknesses

  • CWE-22: Information disclosure

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References