CVE-2023-22640
First published: Wed May 03 2023(Updated: )
A out-of-bounds write in Fortinet FortiOS version 7.2.0 through 7.2.3, FortiOS version 7.0.0 through 7.0.10, FortiOS version 6.4.0 through 6.4.11, FortiOS version 6.2.0 through 6.2.13, FortiOS all versions 6.0, FortiProxy version 7.2.0 through 7.2.1, FortiProxy version 7.0.0 through 7.0.7, FortiProxy all versions 2.0, FortiProxy all versions 1.2, FortiProxy all versions 1.1, FortiProxy all versions 1.0 allows an authenticated attacker to execute unauthorized code or commands via specifically crafted requests.
Credit: psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiProxy | =1.0.0 | |
| Fortinet FortiProxy | =1.1.0 | |
| Fortinet FortiProxy | =1.2.0 | |
| Fortinet FortiProxy | =2.0.0 | |
| Fortinet FortiOS | >=6.0.0<=6.0.16 | |
| Fortinet FortiOS | >=6.2.0<6.2.14 | |
| Fortinet FortiOS | >=6.4.0<6.4.12 | |
| Fortinet FortiOS | >=7.0.0<7.0.11 | |
| Fortinet FortiOS | >=7.2.0<7.2.4 |
Remedy
Please upgrade to FortiOS version 7.4.0 or above Please upgrade to FortiOS version 7.2.4 or above Please upgrade to FortiOS version 7.0.11 or above Please upgrade to FortiOS version 6.4.12 or above Please upgrade to FortiOS version 6.2.14 or above Please upgrade to FortiProxy version 7.2.2 or above Please upgrade to FortiProxy version 7.0.8 or above Workaround: Disable "Host Check", "Restrict to Specific OS Versions" and "MAC address host checking" in sslvpn portal configuration. For example for "full-access" sslvpn portal: config vpn ssl web portal edit "full-access" set os-check disable set host-check none set mac-addr-check disable end
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-22640?
CVE-2023-22640 is a vulnerability in Fortinet FortiOS version 7.2.0 through 7.2.3, FortiOS version 7.0.0 through 7.0.10, FortiOS version 6.4.0 through 6.4.11, FortiOS version 6.2.0 through 6.2.13, and FortiOS all versions 6.0, as well as FortiProxy version 7.2.0 through 7.2.1, FortiProxy version 7.0.0 through 7.0.7, and FortiProxy version 1.0.0 through 2.0.0.
How severe is CVE-2023-22640?
CVE-2023-22640 has a severity rating of 8.8 (High).
What is the affected software for CVE-2023-22640?
The affected software for CVE-2023-22640 includes Fortinet FortiOS version 7.2.0 through 7.2.3, FortiOS version 7.0.0 through 7.0.10, FortiOS version 6.4.0 through 6.4.11, FortiOS version 6.2.0 through 6.2.13, FortiOS all versions 6.0, FortiProxy version 7.2.0 through 7.2.1, FortiProxy version 7.0.0 through 7.0.7, and FortiProxy version 1.0.0 through 2.0.0.
Is there a fix available for CVE-2023-22640?
Yes, there is a fix available for CVE-2023-22640. It is recommended to update to the latest version of Fortinet FortiOS or FortiProxy that includes a patch for the vulnerability.
Where can I find more information about CVE-2023-22640?
You can find more information about CVE-2023-22640 on the FortiGuard website at https://fortiguard.com/psirt/FG-IR-22-475.
- collector/nvd-latest
- agent/type
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/references
- agent/author
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/remedy
- agent/last-modified-date
- agent/tags
- agent/first-publish-date
- agent/event
- vendor/fortinet
- canonical/fortinet fortiproxy
- version/fortinet fortiproxy/1.0.0
- version/fortinet fortiproxy/1.1.0
- version/fortinet fortiproxy/1.2.0
- version/fortinet fortiproxy/2.0.0
- canonical/fortinet fortios
- version/fortinet fortios/6.0.0
- version/fortinet fortios/6.0.16
- version/fortinet fortios/6.2.0
- version/fortinet fortios/6.4.0
- version/fortinet fortios/7.0.0
- version/fortinet fortios/7.2.0