CVE-2022-38377

Summary

An improper access control vulnerability [CWE-284] in FortiManager 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11 and FortiAnalyzer 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.10, 6.0.0 through 6.0.12 may allow a remote and authenticated admin user assigned to a specific ADOM to access other ADOMs information such as device information and dashboard information.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiManager7.2.0affected
FortinetFortiManager7.0.0 <= 7.0.3affected
FortinetFortiManager6.4.0 <= 6.4.8affected
FortinetFortiManager6.2.0 <= 6.2.9affected
FortinetFortiManager6.0.0 <= 6.0.11affected
FortinetFortiAnalyzer7.2.0affected
FortinetFortiAnalyzer7.0.0 <= 7.0.3affected
FortinetFortiAnalyzer6.4.0 <= 6.4.8affected
FortinetFortiAnalyzer6.2.0 <= 6.2.9affected
FortinetFortiAnalyzer6.0.0 <= 6.0.11affected

Weaknesses

  • CWE-284: Improper access control

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References