CVE-2022-42475

Summary

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiProxy7.2.0 <= 7.2.1affected
FortinetFortiProxy7.0.0 <= 7.0.7affected
FortinetFortiProxy2.0.0 <= 2.0.11affected
FortinetFortiProxy1.2.0 <= 1.2.13affected
FortinetFortiProxy1.1.0 <= 1.1.6affected
FortinetFortiProxy1.0.0 <= 1.0.7affected
FortinetFortiOS7.2.0 <= 7.2.2affected
FortinetFortiOS7.0.0 <= 7.0.8affected
FortinetFortiOS6.4.0 <= 6.4.10affected
FortinetFortiOS6.2.0 <= 6.2.11affected
FortinetFortiOS6.0.0 <= 6.0.15affected
FortinetFortiOS5.6.0 <= 5.6.14affected
FortinetFortiOS5.4.0 <= 5.4.13affected
FortinetFortiOS5.2.0 <= 5.2.15affected
FortinetFortiOS5.0.0 <= 5.0.14affected

Weaknesses

  • CWE-197: Execute unauthorized code or commands

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: yes
    • Technical Impact: total

Additional References

References