Insufficient Session Expiration Vulnerability Affects FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager
CVE-2022-45862

8.8HIGH

Key Information:

Vendor: Fortinet
Status: Fortipam; Fortiproxy; FortiOS; Fortiswitchmanager
Vendor: CVE Published:; 13 August 2024

Summary

An insufficient session expiration vulnerability exists across multiple Fortinet products, including FortiOS and FortiProxy. This vulnerability allows attackers to potentially reuse web sessions even after a user has logged out of the graphical user interface (GUI). If an attacker manages to obtain the necessary credentials, they may exploit this flaw to gain unauthorized access to the system. Affected versions of the products do not implement adequate measures to securely handle user sessions, raising significant security concerns for users. Organizations using these products are advised to review their configurations and update to the latest versions where possible.

Affected Version(s)

FortiOS 7.2.0 <= 7.2.5

FortiOS 7.0.0 <= 7.0.7

FortiOS 6.4.0 <= 6.4.11

References

https://fortiguard.com/psirt/FG-IR-22-445

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 13, 2024
Vulnerability Reserved
Nov 23, 2022