Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2022-23439

Externally Controlled Reference to a Resource in Another Sphere

Published: Jan 22, 2025 | Modified: Feb 12, 2025
CVSS 3.x
6.1
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2022-23439
CWEhttps://cwe.mitre.org/data/definitions/610.html

A externally controlled reference to a resource in another sphere in Fortinet FortiManager before version 7.4.3, FortiMail before version 7.0.3, FortiAnalyzer before version 7.4.3, FortiVoice version 7.0.0, 7.0.1 and before 6.4.8, FortiProxy before version 7.0.4, FortiRecorder version 6.4.0 through 6.4.2 and before 6.0.10, FortiAuthenticator version 6.4.0 through 6.4.1 and before 6.3.3, FortiNDR version 7.2.0 before 7.1.0, FortiWLC before version 8.6.4, FortiPortal before version 6.0.9, FortiOS version 7.2.0 and before 7.0.5, FortiADC version 7.0.0 through 7.0.1 and before 6.2.3 , FortiDDoS before version 5.5.1, FortiDDoS-F before version 6.3.3, FortiTester before version 7.2.1, FortiSOAR before version 7.2.2 and FortiSwitch before version 6.3.3 allows attacker to poison web caches via crafted HTTP requests, where the Host header points to an arbitrary webserver

Weakness

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

Affected Software

Name Vendor Start Version End Version
Fortiadc Fortinet 5.4.0 (including) 6.2.4 (excluding)
Fortiauthenticator Fortinet 6.3.0 (including) 6.3.4 (excluding)
Fortiauthenticator Fortinet 6.4.0 (including) 6.4.2 (excluding)
Fortiddos Fortinet 5.3.0 (including) 5.5.2 (excluding)
Fortiddos-f Fortinet 6.1.0 (including) 6.3.4 (excluding)
Fortimail Fortinet 6.4.0 (including) 7.0.4 (excluding)
Fortindr Fortinet 1.4.0 (including) 7.1.1 (excluding)
Fortindr Fortinet 7.2.0 (including) 7.2.0 (including)
Fortiproxy Fortinet 2.0.0 (including) 7.0.5 (excluding)
Fortiproxy Fortinet 7.2.0 (including) 7.4.0 (excluding)
Fortirecorder Fortinet 6.0.0 (including) 6.0.11 (excluding)
Fortirecorder Fortinet 6.4.0 (including) 6.4.3 (excluding)
Fortisoar Fortinet 6.4.0 (including) 7.3.0 (excluding)
Fortitester Fortinet 3.7.0 (including) 7.2.2 (excluding)
Fortivoice Fortinet 6.0.0 (including) 6.4.9 (excluding)
Fortiwlc Fortinet 8.6.0 (including) 8.6.7 (excluding)
Fortios Fortinet 6.0.0 (including) 7.0.6 (excluding)
Fortios Fortinet 7.2.0 (including) 7.2.5 (excluding)
Fortiswitch Fortinet 6.4.0 (including) 7.0.5 (excluding)

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use