Issued: Sunday, 11 December, 2022 |
Last Revision: Sunday, 11 December, 2022 |
Vendor: |
Product: |
Severity Level: |
A vulnerability found in Fortinet FortiOS and FortiProxy. CVE-2022-35843 tracked as, authentication bypass was identified in the SSH login component of FortiOS. The bug can only be triggered when Radius authentication is used. The manipulation with an unknown input leads to a authentication bypass by assumed-immutable data vulnerability. CWE is classifying the issue as CWE-302. The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
If attacker compromise this vulnerability they can bypass the authentication mechanism of the device, which may result in gaining access to the application and gets user sensitive information which can enable attacker to view, edit, delete, copy and overwrite.
CVE/Vulnerability | Affected Products | CVSS Score | Exploitable |
CVE-2022-3236 | FortiOS version 7.2.0 through 7.2.1 FortiOS version 7.0.0 through 7.0.7 FortiOS version 6.4.0 through 6.4.9 FortiOS version 6.2 all versions FortiOS version 6.0 all versions FortiProxy version 7.0.0 through 7.0.6 FortiProxy version 2.0.0 through 2.0.10 FortiProxy version 1.2.0 all versions | 7.7 | No |
Organizations are encouraged to update the latest version of Forti OS-Proxy at their earliest.