CVE-2022-45856

10.09.2024, 15:15

An improper certificate validation vulnerability [CWE-295] in FortiClientWindows 6.4 all versions, 7.0.0 through 7.0.7, FortiClientMac 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientLinux 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientAndroid 6.4 all versions, 7.0 all versions, 7.2.0 and FortiClientiOS 5.6 all versions, 6.0.0 through 6.0.1, 7.0.0 through 7.0.6 SAML SSO feature may allow an unauthenticated attacker toman-in-the-middle the communication between the FortiClient and both the service provider and the identity provider.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.8 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
fortinet	CNA	4.6 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:U/RC:C
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 18%

Vendor	Product	Version
fortinet	forticlient	6.4 ≤ 𝑥 < 7.2.5
fortinet	forticlient	6.4 ≤ 𝑥 < 7.2.5
fortinet	forticlient	6.4 ≤ 𝑥 < 7.0.8

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-295 - Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate.

References

https://fortiguard.fortinet.com/psirt/FG-IR-22-230