CVE-2022-39948

16.02.2023, 19:15

An improper certificate validation vulnerability [CWE-295] in FortiOS 7.2.0 through 7.2.3, 7.0.0 through 7.0.7, 6.4 all versions, 6.2all versions, 6.0all versions and FortiProxy 7.0.0 through 7.0.6, 2.0all versions, 1.2all versions may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the FortiOS/FortiProxy device and remote servers hosting threat feeds (when the latter are configured as Fabric connectors in FortiOS/FortiProxy)

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.8 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
fortinet	CNA	4.4 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:U/RC:R
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 24%

Vendor	Product	Version
fortinet	fortiproxy	1.2.0 ≤ 𝑥 ≤ 2.0.9
fortinet	fortiproxy	7.0.0 ≤ 𝑥 < 7.0.7
fortinet	fortios	6.0.0 ≤ 𝑥 < 7.0.8
fortinet	fortios	7.2.0 ≤ 𝑥 < 7.2.4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-295 - Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate.

References

https://fortiguard.com/psirt/FG-IR-22-257