CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Products
FortiOS
- 7.2.5 and below
- 7.0 all versions
- 6.4 all versions
FortiProxy
- 7.2 all versions
- 7.0 all versions
FortiPAM
- 1.3 all versions
- 1.2 all versions
- 1.1 all versions
- 1.0 all versions
FortiSwitchManager
- 7.2.1 and below
- 7.0 all versions
Source
psirt@fortinet.com
Tags
CVE-2022-45862 details
Last Modified : Aug. 13, 2024, 5:11 p.m.
Description
An insufficient session expiration vulnerability [CWE-613] vulnerability in FortiOS 7.2.5 and below, 7.0 all versions, 6.4 all versions; FortiProxy 7.2 all versions, 7.0 all versions; FortiPAM 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions; FortiSwitchManager 7.2.1 and below, 7.0 all versions GUI may allow attackers to re-use websessions after GUI logout, should they manage to acquire the required credentials.
CVSS Score
| 1 | 2 | 3.7 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-613 | Insufficient Session Expiration | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
Base Score
3.7
Exploitability Score
2.2
Impact Score
1.4
Base Severity
LOW
Vector String : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
References
| URL | Source |
|---|---|
| https://fortiguard.com/psirt/FG-IR-22-445 | psirt@fortinet.com |