What is the vulnerability ID for this vulnerability?

The vulnerability ID for this vulnerability is CVE-2022-22302.

What is the severity rating of CVE-2022-22302?

CVE-2022-22302 has a severity rating of medium.

Which software versions are affected by CVE-2022-22302?

CVE-2022-22302 affects FortiGate versions 6.4.0 through 6.4.1, 6.2.0 through 6.2.9, and 6.0.0 through 6.0.13, as well as FortiAuthenticator version 5.5.0 and all versions of 6.1 and 6.0.

What is the CWE ID for this vulnerability?

The CWE ID for this vulnerability is CWE-312.

How can a local unauthorized party exploit this vulnerability?

A local unauthorized party may exploit CVE-2022-22302 to retrieve the Fortinet private information stored in clear text.

Vulnerability/
CVE-2022-22302

medium

5.3

CWE

312

16/2/2023

11/7/2023

23/10/2024

25/10/2024

CVE-2022-22302: Cert private key disclosure

First published: Thu Feb 16 2023(Updated: )

A clear text storage of sensitive information (CWE-312) vulnerability in both FortiGate and FortiAuthenticator may allow a local unauthorized party to retrieve the Fortinet private keys used to establish secure communication with both Apple Push Notification and Google Cloud Messaging services, via accessing the files on the filesystem. The potentially exposed private keys have been revoked, please upgrade to the versions provided in the solutions to support push proxy.

Credit: psirt@fortinet.com psirt@fortinet.com

Affected Software	Affected Version	How to fix
Fortinet FortiAuthenticator	>=6.0.0<=6.0.4
Fortinet FortiAuthenticator	=5.5.0
Fortinet FortiAuthenticator	=6.1.0
Fortinet FortiOS	>=6.0.0<=6.0.13
Fortinet FortiOS	>=6.2.0<=6.2.9
Fortinet FortiOS	=6.4.0
Fortinet FortiOS	=6.4.1

Remedy

Please upgrade to FortiGate version 6.4.2 or above. Please upgrade to FortiOS version 6.2.10 or above Please upgrade to FortiOS version 6.0.14 or above Please upgrade to FortiAuthenticator version 6.2.0 or above Please upgrade to FortiAuthenticator version 6.1.1 or above Please upgrade to FortiAuthenticator version 6.0.5 or above Workaround in FortiOS: Disable the FTM push service by using the below commands: config system ftm-push set status disable end

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2022-22302.
What is the severity rating of CVE-2022-22302?
CVE-2022-22302 has a severity rating of medium.
Which software versions are affected by CVE-2022-22302?
CVE-2022-22302 affects FortiGate versions 6.4.0 through 6.4.1, 6.2.0 through 6.2.9, and 6.0.0 through 6.0.13, as well as FortiAuthenticator version 5.5.0 and all versions of 6.1 and 6.0.
What is the CWE ID for this vulnerability?
The CWE ID for this vulnerability is CWE-312.
How can a local unauthorized party exploit this vulnerability?
A local unauthorized party may exploit CVE-2022-22302 to retrieve the Fortinet private information stored in clear text.

agent/type
agent/author
agent/softwarecombine
collector/nvd-api
agent/software-canonical-lookup-request
collector/nvd-latest
collector/nvd-index
agent/weakness
agent/remedy
collector/mitre-cve
source/MITRE
agent/last-modified-date
collector/fortiguard-psirt-latest
source/FortiGuard
alias/CVE-2022-22302
collector/fortiguard-psirt
agent/severity
agent/references
agent/title
agent/first-publish-date
agent/event
agent/description
agent/tags
agent/trending
vendor/fortinet
canonical/fortinet fortiauthenticator
version/fortinet fortiauthenticator/6.0.0
version/fortinet fortiauthenticator/6.0.4
version/fortinet fortiauthenticator/5.5.0
version/fortinet fortiauthenticator/6.1.0
canonical/fortinet fortios
version/fortinet fortios/6.0.0
version/fortinet fortios/6.0.13
version/fortinet fortios/6.2.0
version/fortinet fortios/6.2.9
version/fortinet fortios/6.4.0
version/fortinet fortios/6.4.1