CVE-2022-39954

Summary

An improper restriction of xml external entity reference in Fortinet FortiNAC version 9.4.0 through 9.4.1, FortiNAC version 9.2.0 through 9.2.7, FortiNAC version 9.1.0 through 9.1.8, FortiNAC version 8.8.0 through 8.8.11, FortiNAC version 8.7.0 through 8.7.6, FortiNAC version 8.6.0 through 8.6.5, FortiNAC version 8.5.0 through 8.5.4, FortiNAC version 8.3.7 allows attacker to read arbitrary files or trigger a denial of service via specifically crafted XML documents.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiNAC9.4.0 <= 9.4.1affected
FortinetFortiNAC9.2.0 <= 9.2.7affected
FortinetFortiNAC9.1.0 <= 9.1.8affected
FortinetFortiNAC8.8.0 <= 8.8.11affected
FortinetFortiNAC8.7.0 <= 8.7.6affected
FortinetFortiNAC8.6.0 <= 8.6.5affected
FortinetFortiNAC8.5.0 <= 8.5.4affected
FortinetFortiNAC8.3.7affected

Weaknesses

  • CWE-611: Information disclosure

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References