CVE-2023-41679

An improper access control vulnerability [CWE-284] in FortiManager management interface 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions may allow a remote and authenticated attacker with at least "device management" permission on his profile and belonging to a specific ADOM to add and delete CLI script on other ADOMs

CVSS v3 8.5 HIGH

8.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://fortiguard.com/psirt/FG-IR-23-062	Vendor Advisory
https://fortiguard.com/psirt/FG-IR-23-062	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:fortinet:fortimanager::::::::
	cpe:2.3:a:fortinet:fortimanager::::::::
	cpe:2.3:a:fortinet:fortimanager::::::::
	cpe:2.3:a:fortinet:fortimanager::::::::
	cpe:2.3:a:fortinet:fortimanager:7.2.0:::::::*
	cpe:2.3:a:fortinet:fortimanager:7.2.1:::::::*
	cpe:2.3:a:fortinet:fortimanager:7.2.2:::::::*

History

21 Nov 2024, 08:21

Type	Values Removed	Values Added
References	~~() https://fortiguard.com/psirt/FG-IR-23-062 - Vendor Advisory~~	() https://fortiguard.com/psirt/FG-IR-23-062 - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~9.6~~	v2 : unknown v3 : 8.5

13 Oct 2023, 16:54

Type	Values Removed	Values Added
CWE		NVD-CWE-Other
CPE		cpe:2.3:a:fortinet:fortimanager:7.2.2:::::::* cpe:2.3:a:fortinet:fortimanager:::::::: cpe:2.3:a:fortinet:fortimanager:7.2.1:::::::* cpe:2.3:a:fortinet:fortimanager:7.2.0:::::::*
First Time		Fortinet Fortinet fortimanager
References	~~(MISC) https://fortiguard.com/psirt/FG-IR-23-062 -~~	(MISC) https://fortiguard.com/psirt/FG-IR-23-062 - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.6

10 Oct 2023, 17:52

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-10 17:15

Updated : 2024-11-21 08:21

NVD link : CVE-2023-41679

Mitre link : CVE-2023-41679

CVE.ORG link : CVE-2023-41679

JSON object : View

Products Affected

fortinet

fortimanager

CWE

CWE-284

Improper Access Control

NVD-CWE-Other

{"id": "CVE-2023-41679", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@fortinet.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 5.8, "exploitabilityScore": 3.1}]}, "published": "2023-10-10T17:15:12.683", "references": [{"url": "https://fortiguard.com/psirt/FG-IR-23-062", "tags": ["Vendor Advisory"], "source": "psirt@fortinet.com"}, {"url": "https://fortiguard.com/psirt/FG-IR-23-062", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "psirt@fortinet.com", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "An improper access control vulnerability [CWE-284] in FortiManager management interface 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions may allow a remote and authenticated attacker with at least \"device management\" permission on his profile and belonging to a specific ADOM to add and delete CLI script on other ADOMs"}, {"lang": "es", "value": "Una vulnerabilidad de control de acceso inadecuado [CWE-284] en la interfaz de administraci\u00f3n de FortiManager 7.2.0 a 7.2.2, 7.0.0 a 7.0.7, 6.4.0 a 6.4.11, 6.2 todas las versiones, 6.0 todas las versiones puede permitir a un atacante remoto no autenticado con al menos permiso de \"administraci\u00f3n de dispositivos\" en su perfil y perteneciente a un ADOM espec\u00edfico agregar y eliminar scripts CLI en otros ADOM."}], "lastModified": "2024-11-21T08:21:28.450", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8DFFD873-3F9B-41D8-92E6-09F84712BCE1", "versionEndIncluding": "6.0.12", "versionStartIncluding": "6.0.0"}, {"criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "09105C5B-378F-4E1A-B395-F43573983A26", "versionEndIncluding": "6.2.12", "versionStartIncluding": "6.2.0"}, {"criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6DA1F7EC-363D-432C-9225-3A217D9F3CBE", "versionEndIncluding": "6.4.11", "versionStartIncluding": "6.4.0"}, {"criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A57331B0-1B5B-4E70-BD82-E87715CDD921", "versionEndIncluding": "7.0.7", "versionStartIncluding": "7.0.0"}, {"criteria": "cpe:2.3:a:fortinet:fortimanager:7.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "407755AA-0C23-4C5B-88A2-8BC12A3D268D"}, {"criteria": "cpe:2.3:a:fortinet:fortimanager:7.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0A0A1111-4054-4C7B-B333-E13A8684207B"}, {"criteria": "cpe:2.3:a:fortinet:fortimanager:7.2.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "81E5E264-0F74-4C45-BC90-384E572A14B8"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@fortinet.com"}