CVE-2022-27487

Summary

A improper privilege management in Fortinet FortiSandbox version 4.2.0 through 4.2.2, 4.0.0 through 4.0.2 and before 3.2.3 and FortiDeceptor version 4.1.0, 4.0.0 through 4.0.2 and before 3.3.3 allows a remote authenticated attacker to perform unauthorized API calls via crafted HTTP or HTTPS requests.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiDeceptor4.1.0affected
FortinetFortiDeceptor4.0.0 <= 4.0.2affected
FortinetFortiDeceptor3.3.0 <= 3.3.3affected
FortinetFortiDeceptor3.2.0 <= 3.2.2affected
FortinetFortiDeceptor3.1.0 <= 3.1.1affected
FortinetFortiDeceptor3.0.0 <= 3.0.2affected
FortinetFortiDeceptor2.1.0affected
FortinetFortiDeceptor2.0.0affected
FortinetFortiDeceptor1.1.0affected
FortinetFortiDeceptor1.0.0 <= 1.0.1affected
FortinetFortiSandbox4.2.0 <= 4.2.2affected
FortinetFortiSandbox4.0.0 <= 4.0.2affected
FortinetFortiSandbox3.2.0 <= 3.2.3affected
FortinetFortiSandbox3.1.0 <= 3.1.5affected
FortinetFortiSandbox3.0.0 <= 3.0.7affected
FortinetFortiSandbox2.5.0 <= 2.5.2affected

Weaknesses

  • CWE-269: Execute unauthorized code or commands

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References