CVE-2023-22633 - OpenCVE

An improper permissions, privileges, and access controls vulnerability [CWE-264] in FortiNAC-F 7.2.0, FortiNAC 9.4.1 and below, 9.2.6 and below, 9.1.8 and below, 8.8.0 all versions 8.7.0 all versions may allow an unauthenticated attacker to perform a DoS attack on the device via client-secure renegotiation.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Fortinet	Fortinac Fortinac-f

Configuration 1 [-]

OR	cpe:2.3:a:fortinet:fortinac::::::::
	cpe:2.3:a:fortinet:fortinac::::::::
	cpe:2.3:a:fortinet:fortinac::::::::
	cpe:2.3:a:fortinet:fortinac::::::::
	cpe:2.3:a:fortinet:fortinac:9.4.0:::::::*
	cpe:2.3:a:fortinet:fortinac:9.4.1:::::::*
	cpe:2.3:a:fortinet:fortinac-f:7.2.0:::::::*

References

Link	Resource
https://fortiguard.com/psirt/FG-IR-22-521	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: fortinet

Published: 2023-06-13T08:41:44.268Z

Updated: 2023-06-13T08:41:44.268Z

Reserved: 2023-01-05T10:06:31.521Z

Link: CVE-2023-22633

JSON object: View

NVD Information

Status : Modified

Published: 2023-06-13T09:15:16.127

Modified: 2023-11-07T04:07:10.260

Link: CVE-2023-22633

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-22633", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2023-01-05T10:06:31.521Z", "datePublished": "2023-06-13T08:41:44.268Z", "dateUpdated": "2023-06-13T08:41:44.268Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiNAC", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "9.4.0", "lessThanOrEqual": "9.4.1", "status": "affected"}, {"versionType": "semver", "version": "9.2.0", "lessThanOrEqual": "9.2.6", "status": "affected"}, {"versionType": "semver", "version": "9.1.0", "lessThanOrEqual": "9.1.8", "status": "affected"}, {"versionType": "semver", "version": "8.8.0", "lessThanOrEqual": "8.8.11", "status": "affected"}, {"versionType": "semver", "version": "8.7.0", "lessThanOrEqual": "8.7.6", "status": "affected"}, {"version": "7.2.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "An improper permissions, privileges, and access controls vulnerability [CWE-264] in FortiNAC-F 7.2.0, FortiNAC 9.4.1 and below, 9.2.6 and below, 9.1.8 and below, 8.8.0 all versions 8.7.0 all versions may allow an unauthenticated attacker to perform a DoS attack on the device via client-secure renegotiation."}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2023-06-13T08:41:44.268Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-264", "description": "Denial of service", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:X/RL:X/RC:R"}}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiNAC-F version 7.2.1 or above\r\nPlease upgrade to FortiNAC version 9.4.2 or above\r\nPlease upgrade to FortiNAC version 9.2.7 or above\r\nPlease upgrade to FortiNAC version 9.1.9 or above"}], "references": [{"name": "https://fortiguard.com/psirt/FG-IR-22-521", "url": "https://fortiguard.com/psirt/FG-IR-22-521"}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortinac:*:*:*:*:*:*:*:*", "matchCriteriaId": "3BD32B25-76B4-4D6E-BB5C-065070297058", "versionEndIncluding": "8.7.6", "versionStartIncluding": "8.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortinac:*:*:*:*:*:*:*:*", "matchCriteriaId": "46929BE3-0396-4B8A-9889-9F6CA73FAD4E", "versionEndIncluding": "8.8.11", "versionStartIncluding": "8.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortinac:*:*:*:*:*:*:*:*", "matchCriteriaId": "4DFD62C8-07EF-4C7C-B18B-414A9C4A2955", "versionEndIncluding": "9.1.8", "versionStartIncluding": "9.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortinac:*:*:*:*:*:*:*:*", "matchCriteriaId": "9331C47E-0CA4-4B2F-A89F-5C0AAEF3ECAA", "versionEndIncluding": "9.2.6", "versionStartIncluding": "9.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortinac:9.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "E12E11B0-E21A-4124-9DF9-FF268BB19813", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortinac:9.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "4648F862-AB8C-4B8D-8F2D-5D2641F08845", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortinac-f:7.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "77DE647F-0252-42E2-8BDD-C98DC899C613", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An improper permissions, privileges, and access controls vulnerability [CWE-264] in FortiNAC-F 7.2.0, FortiNAC 9.4.1 and below, 9.2.6 and below, 9.1.8 and below, 8.8.0 all versions 8.7.0 all versions may allow an unauthenticated attacker to perform a DoS attack on the device via client-secure renegotiation."}], "id": "CVE-2023-22633", "lastModified": "2023-11-07T04:07:10.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "psirt@fortinet.com", "type": "Secondary"}]}, "published": "2023-06-13T09:15:16.127", "references": [{"source": "psirt@fortinet.com", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-22-521"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-264"}], "source": "psirt@fortinet.com", "type": "Secondary"}]}