SecuriTricks - CVE-2022-45856

Description

An improper certificate validation vulnerability [CWE-295] in FortiClientWindows 6.4 all versions, 7.0.0 through 7.0.7, FortiClientMac 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientLinux 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientAndroid 6.4 all versions, 7.0 all versions, 7.2.0 and FortiClientiOS 5.6 all versions, 6.0.0 through 6.0.1, 7.0.0 through 7.0.6 SAML SSO feature may allow an unauthenticated attacker to man-in-the-middle the communication between the FortiClient and both the service provider and the identity provider.

Product(s) Impacted

Vendor	Product	Versions
Fortinet	Forticlient	*

Weaknesses

CWE-295

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

*CPE(s)

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	fortinet	forticlient	/	/	/	/	/	android	/	/
a	fortinet	forticlient	/	/	/	/	/	linux	/	/
a	fortinet	forticlient	/	/	/	/	/	mac_os	/	/
a	fortinet	forticlient	/	/	/	/	/	windows	/	/
a	fortinet	forticlient	/	/	/	/	/	iphone_os	/	/

References

https://fortiguard.fortinet.com/psirt/FG-IR-22-230

CVSS Score

5.9 / 10

CVSS Data

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: HIGH
Integrity Impact: NONE
Availability Impact: NONE

View Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Date

Published: Sept. 10, 2024, 3:15 p.m.
Last Modified: Sept. 26, 2024, 2:48 p.m.

Status : Analyzed

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

psirt@fortinet.com

CVE-2022-45856