{"timestamp":"2024-10-22T20:18:34.434332Z","id":"CVE-2022-39948","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}

[{"vendor":"Fortinet","product":"FortiProxy","defaultStatus":"unaffected","versions":[{"version":"7.0.0","lessThanOrEqual":"7.0.6","versionType":"semver","status":"affected"},{"version":"2.0.0","lessThanOrEqual":"2.0.11","versionType":"semver","status":"affected"},{"version":"1.2.0","lessThanOrEqual":"1.2.13","versionType":"semver","status":"affected"}]},{"vendor":"Fortinet","product":"FortiOS","defaultStatus":"unaffected","versions":[{"version":"7.2.0","lessThanOrEqual":"7.2.3","versionType":"semver","status":"affected"},{"version":"7.0.0","lessThanOrEqual":"7.0.7","versionType":"semver","status":"affected"},{"version":"6.4.0","lessThanOrEqual":"6.4.11","versionType":"semver","status":"affected"},{"version":"6.2.0","lessThanOrEqual":"6.2.12","versionType":"semver","status":"affected"},{"version":"6.0.0","lessThanOrEqual":"6.0.16","versionType":"semver","status":"affected"}]}]

https://fortiguard.com/psirt/FG-IR-22-257

An improper certificate validation vulnerability [CWE-295] in FortiOS 7.2.0 through 7.2.3, 7.0.0 through 7.0.7, 6.4 all versions, 6.2 all versions, 6.0 all versions and FortiProxy 7.0.0 through 7.0.6, 2.0 all versions, 1.2 all versions may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the FortiOS/FortiProxy device and remote servers hosting threat feeds (when the latter are configured as Fabric connectors in FortiOS/FortiProxy)

An improper certificate validation vulnerability [CWE-295] in FortiOS 7.2.0 through 7.2.3, 7.0.0 through 7.0.7, 6.4 all versions, 6.2 all versions, 6.0 all versions and FortiProxy 7.0.0 through 7.0.6, 2.0 all versions, 1.2 all versions may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the FortiOS/FortiProxy device and remote servers hosting threat feeds (when the latter are configured as Fabric connectors in FortiOS/FortiProxy)

Fortinet, Inc. CWE-295

NIST AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

NIST CWE-295

OR
     *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 1.2.0 up to (including) 2.0.9
     *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.0.0 up to (excluding) 7.0.7
     *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 6.0.0 up to (excluding) 7.0.8
     *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.2.0 up to (excluding) 7.2.4

https://fortiguard.com/psirt/FG-IR-22-257 No Types Assigned

https://fortiguard.com/psirt/FG-IR-22-257 Vendor Advisory