CVE-2022-27490

Summary

A exposure of sensitive information to an unauthorized actor in Fortinet FortiManager version 6.0.0 through 6.0.4, FortiAnalyzer version 6.0.0 through 6.0.4, FortiPortal version 6.0.0 through 6.0.9, 5.3.0 through 5.3.8, 5.2.x, 5.1.0, 5.0.x, 4.2.x, 4.1.x, FortiSwitch version 7.0.0 through 7.0.4, 6.4.0 through 6.4.10, 6.2.x, 6.0.x allows an attacker which has obtained access to a restricted administrative account to obtain sensitive information via diagnose debug commands.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiManager6.0.0 <= 6.0.4affected
FortinetFortiManager5.6.0 <= 5.6.11affected
FortinetFortiAnalyzer6.0.0 <= 6.0.4affected
FortinetFortiAnalyzer5.6.0 <= 5.6.11affected
FortinetFortiPortal6.0.0 <= 6.0.9affected
FortinetFortiPortal5.3.0 <= 5.3.8affected
FortinetFortiPortal5.2.0 <= 5.2.6affected
FortinetFortiPortal5.1.0 <= 5.1.2affected
FortinetFortiPortal5.0.0 <= 5.0.3affected
FortinetFortiPortal4.2.0 <= 4.2.2affected
FortinetFortiPortal4.1.0 <= 4.1.2affected
FortinetFortiSwitch7.0.0 <= 7.0.4affected
FortinetFortiSwitch6.4.0 <= 6.4.10affected
FortinetFortiSwitch6.2.0 <= 6.2.7affected
FortinetFortiSwitch6.0.0 <= 6.0.7affected

Weaknesses

  • CWE-200: Information disclosure

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References