CVE-2022-38377

An improper access control vulnerability [CWE-284] in FortiManager 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11 and FortiAnalyzer 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.10, 6.0.0 through 6.0.12 may allow a remote and authenticated admin user assigned to a specific ADOM to access other ADOMs information such as device information and dashboard information.

Published: Nov 25, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-38377
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 2.7
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
fortinet / fortimanager	6.0.0	6.0.11.x
fortinet / fortimanager	6.4.0	6.4.7.x
fortinet / fortimanager	6.2.0	6.2.9.x
fortinet / fortimanager	7.0.0	7.0.3.x
fortinet / fortianalyzer	7.0.0	7.0.3.x
fortinet / fortianalyzer	6.4.0	6.4.8.x
fortinet / fortimanager	7.2.0	7.2.0.x
fortinet / fortianalyzer	7.2.0	7.2.0.x
fortinet / fortianalyzer	6.0.0	6.0.12.x
fortinet / fortianalyzer	6.2.0	6.2.10.x

https://fortiguard.com/psirt/FG-IR-20-143

Vulnerability Database

289,784

CVE-2022-38377