CVE-2023-36635 - OpenCVE

An improper access control in Fortinet FortiSwitchManager version 7.2.0 through 7.2.2 7.0.0 through 7.0.1 may allow a remote authenticated read-only user to modify the interface settings via the API.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fortinet	Fortiswitchmanager

Configuration 1 [-]

OR	cpe:2.3:a:fortinet:fortiswitchmanager:7.0.0:::::::*
	cpe:2.3:a:fortinet:fortiswitchmanager:7.0.1:::::::*
	cpe:2.3:a:fortinet:fortiswitchmanager:7.2.0:::::::*
	cpe:2.3:a:fortinet:fortiswitchmanager:7.2.1:::::::*
	cpe:2.3:a:fortinet:fortiswitchmanager:7.2.2:::::::*

No data.

References

Link	Providers
https://fortiguard.com/psirt/FG-IR-22-174

History

No history.

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2023-09-07T12:41:13.903Z

Updated: 2024-08-02T16:52:54.065Z

Reserved: 2023-06-25T18:03:39.226Z

Link: CVE-2023-36635

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-09-07T13:15:08.433

Modified: 2023-11-07T04:16:39.410

Link: CVE-2023-36635

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-36635", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2023-06-25T18:03:39.226Z", "datePublished": "2023-09-07T12:41:13.903Z", "dateUpdated": "2024-08-02T16:52:54.065Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiSwitchManager", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "7.2.0", "lessThanOrEqual": "7.2.2", "status": "affected"}, {"versionType": "semver", "version": "7.0.0", "lessThanOrEqual": "7.0.1", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "An improper access control in Fortinet FortiSwitchManager version 7.2.0 through 7.2.2\r\n7.0.0 through 7.0.1 may allow a remote authenticated read-only user to modify the interface settings via the API."}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2023-09-07T12:41:13.903Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-284", "description": "Improper access control", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H/E:F/RL:X/RC:X"}}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiOS version 7.2.1 or above\r\nPlease upgrade to FortiOS version 7.0.8 or above\r\nPlease upgrade to FortiSwitchManager version 7.2.2 or above\r\nPlease upgrade to FortiSwitchManager version 7.0.2 or above"}], "references": [{"name": "https://fortiguard.com/psirt/FG-IR-22-174", "url": "https://fortiguard.com/psirt/FG-IR-22-174"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:52:54.065Z"}, "title": "CVE Program Container", "references": [{"name": "https://fortiguard.com/psirt/FG-IR-22-174", "url": "https://fortiguard.com/psirt/FG-IR-22-174", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortiswitchmanager:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "5B4A6B0D-1614-443B-8EBA-A8FBC2E1A832", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortiswitchmanager:7.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "331A1766-4EBA-4519-A8ED-E0DD68A187E9", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortiswitchmanager:7.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "2B73D78B-2270-45B7-854E-F985B8D88F3B", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortiswitchmanager:7.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "469E9E1C-154C-41CB-AC83-FBE5E6FA83EB", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortiswitchmanager:7.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "959248C7-DC92-4968-87F9-2A2CDF84F7BE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper access control in Fortinet FortiSwitchManager version 7.2.0 through 7.2.2\r\n7.0.0 through 7.0.1 may allow a remote authenticated read-only user to modify the interface settings via the API."}, {"lang": "es", "value": "Un control de acceso incorrecto en Fortinet FortiSwitchManager, versiones 7.2.0 a 7.2.2 y versiones 7.0.0 a 7.0.1, puede permitir que un usuario remoto autenticado con permisos de solo lectura modifique la configuraci\u00f3n de la interfaz a trav\u00e9s de la API."}], "id": "CVE-2023-36635", "lastModified": "2023-11-07T04:16:39.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "psirt@fortinet.com", "type": "Secondary"}]}, "published": "2023-09-07T13:15:08.433", "references": [{"source": "psirt@fortinet.com", "tags": ["Not Applicable", "Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-22-174"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "psirt@fortinet.com", "type": "Secondary"}]}