CVE-2023-45582 - OpenCVE

An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiMail webmail version 7.2.0 through 7.2.4, 7.0.0 through 7.0.6 and before 6.4.8 may allow an unauthenticated attacker to perform a brute force attack on the affected endpoints via repeated login attempts.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Fortinet	Fortimail

Configuration 1 [-]

OR	cpe:2.3:a:fortinet:fortimail::::::::
	cpe:2.3:a:fortinet:fortimail::::::::
	cpe:2.3:a:fortinet:fortimail::::::::
	cpe:2.3:a:fortinet:fortimail::::::::
	cpe:2.3:a:fortinet:fortimail:7.4.0:::::::*

References

Link	Resource
https://fortiguard.com/psirt/FG-IR-23-287	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: fortinet

Published: 2023-11-14T18:05:34.247Z

Updated: 2023-11-14T18:05:34.247Z

Reserved: 2023-10-09T08:01:29.296Z

Link: CVE-2023-45582

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-11-14T18:15:55.017

Modified: 2023-11-18T03:28:51.550

Link: CVE-2023-45582

JSON object: View

Redhat Information

No data.

CWE

CWE-307

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-45582", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2023-10-09T08:01:29.296Z", "datePublished": "2023-11-14T18:05:34.247Z", "dateUpdated": "2023-11-14T18:05:34.247Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiMail", "defaultStatus": "unaffected", "versions": [{"version": "7.4.0", "status": "affected"}, {"versionType": "semver", "version": "7.2.0", "lessThanOrEqual": "7.2.4", "status": "affected"}, {"versionType": "semver", "version": "7.0.0", "lessThanOrEqual": "7.0.6", "status": "affected"}, {"versionType": "semver", "version": "6.4.0", "lessThanOrEqual": "6.4.8", "status": "affected"}, {"versionType": "semver", "version": "6.2.0", "lessThanOrEqual": "6.2.9", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiMail webmail version 7.2.0 through 7.2.4, 7.0.0 through 7.0.6 and before 6.4.8 may allow an unauthenticated attacker to\u00a0 perform a brute force attack on the affected endpoints via repeated login attempts."}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2023-11-14T18:05:34.247Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-307", "description": "Improper access control", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C"}}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiMail version 7.4.1 or above \nPlease upgrade to FortiMail version 7.2.5 or above \nPlease upgrade to FortiMail version 7.0.7 or above \nPlease upgrade to FortiMail version 6.4.9 or above \n"}], "references": [{"name": "https://fortiguard.com/psirt/FG-IR-23-287", "url": "https://fortiguard.com/psirt/FG-IR-23-287"}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortimail:*:*:*:*:*:*:*:*", "matchCriteriaId": "AEDC7EE8-084C-4F9E-A510-E283FCDF9832", "versionEndIncluding": "6.2.9", "versionStartIncluding": "6.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortimail:*:*:*:*:*:*:*:*", "matchCriteriaId": "CFF1A29D-46B8-4E8C-8D8B-39276CFED5BD", "versionEndIncluding": "6.4.8", "versionStartIncluding": "6.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortimail:*:*:*:*:*:*:*:*", "matchCriteriaId": "64646177-D83C-49A1-A93D-AB51ECE66605", "versionEndIncluding": "7.0.6", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortimail:*:*:*:*:*:*:*:*", "matchCriteriaId": "1F74C5E7-FFA4-4C28-AEC5-161E7B3C2F4C", "versionEndIncluding": "7.2.4", "versionStartIncluding": "7.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortimail:7.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "D88B2A69-846E-4AFB-9E00-EBDC2A7015D5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiMail webmail version 7.2.0 through 7.2.4, 7.0.0 through 7.0.6 and before 6.4.8 may allow an unauthenticated attacker to\u00a0 perform a brute force attack on the affected endpoints via repeated login attempts."}, {"lang": "es", "value": "Una vulnerabilidad de restricci\u00f3n inadecuada de intentos excesivos de autenticaci\u00f3n [CWE-307] en el correo web FortiMail versi\u00f3n 7.2.0 a 7.2.4, 7.0.0 a 7.0.6 y anteriores a 6.4.8 puede permitir que un atacante no autenticado realice un ataque de fuerza bruta en los endpoints afectados mediante repetidos intentos de inicio de sesi\u00f3n."}], "id": "CVE-2023-45582", "lastModified": "2023-11-18T03:28:51.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.4, "source": "psirt@fortinet.com", "type": "Secondary"}]}, "published": "2023-11-14T18:15:55.017", "references": [{"source": "psirt@fortinet.com", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-23-287"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "psirt@fortinet.com", "type": "Primary"}]}