CVE-2022-45862: GUI Console WebSockets do not terminate on logout
First published: Tue Aug 13 2024(Updated: )
An insufficient session expiration vulnerability [CWE-613] in FortiOS, FortiProxy, FortiPAM & FortiSwitchManager GUI may allow attackers to re-use websessions after GUI logout, should they manage to acquire the required credentials.
Credit: psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiProxy | >=7.0.0<7.4.0 | |
| Fortinet FortiSwitchManager | >=7.0.0<7.2.2 | |
| Fortinet FortiOS IPS Engine | >=6.4.0<7.2.6 | |
| FortiGuard FortiPAM | >=1.0.0<1.4.0 | |
| Fortinet FortiOS IPS Engine | >=7.2.0<=7.2.5 | |
| Fortinet FortiOS IPS Engine | >=7.0 | |
| Fortinet FortiOS IPS Engine | >=6.4 | |
| FortiGuard FortiPAM | >=1.3 | |
| FortiGuard FortiPAM | >=1.2 | |
| FortiGuard FortiPAM | >=1.1 | |
| FortiGuard FortiPAM | >=1.0 | |
| Fortinet FortiProxy | >=7.2 | |
| Fortinet FortiProxy | >=7.0 | |
| Fortinet FortiSwitchManager | >=7.2.0<=7.2.1 | |
| Fortinet FortiSwitchManager | >=7.0 |
Remedy
Please upgrade to FortiOS version 7.4.0 or above Please upgrade to FortiOS version 7.2.6 or above Please upgrade to FortiPAM version 1.4.0 or above Please upgrade to FortiProxy version 7.4.0 or above Please upgrade to FortiSwitchManager version 7.2.2 or above
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2022-45862?
CVE-2022-45862 has been classified as a high severity vulnerability due to insufficient session expiration.
How do I fix CVE-2022-45862?
To fix CVE-2022-45862, upgrade to FortiOS version 7.2.6 or later, FortiProxy version 7.2 or later, FortiPAM version 1.4.0 or later, or FortiSwitchManager version 7.2.2 or later.
Which products are affected by CVE-2022-45862?
CVE-2022-45862 affects FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager across various versions.
What is an insufficient session expiration vulnerability in the context of CVE-2022-45862?
An insufficient session expiration vulnerability, like CVE-2022-45862, allows attackers to reuse web sessions after a user logs out if they obtain the necessary credentials.
Is remote exploitation possible with CVE-2022-45862?
Yes, CVE-2022-45862 could be exploited remotely if an attacker has access to the valid user credentials.
- agent/first-publish-date
- agent/title
- agent/remedy
- agent/references
- agent/weakness
- agent/type
- agent/description
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/softwarecombine
- collector/fortiguard-psirt-latest
- source/FortiGuard
- alias/CVE-2022-45862
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/fortiguard-psirt
- vendor/fortinet
- canonical/fortinet fortiproxy
- version/fortinet fortiproxy/7.0.0
- canonical/fortinet fortiswitchmanager
- version/fortinet fortiswitchmanager/7.0.0
- canonical/fortinet fortios ips engine
- version/fortinet fortios ips engine/6.4.0
- canonical/fortiguard fortipam
- version/fortiguard fortipam/1.0.0
- version/fortinet fortios ips engine/7.2.0
- version/fortinet fortios ips engine/7.2.5
- version/fortinet fortios ips engine/7.0
- version/fortinet fortios ips engine/6.4
- version/fortiguard fortipam/1.3
- version/fortiguard fortipam/1.2
- version/fortiguard fortipam/1.1
- version/fortiguard fortipam/1.0
- version/fortinet fortiproxy/7.2
- version/fortinet fortiproxy/7.0
- version/fortinet fortiswitchmanager/7.2.0
- version/fortinet fortiswitchmanager/7.2.1
- version/fortinet fortiswitchmanager/7.0