CVE-2022-30305

moderate-risk
Published 2022-12-06

An insufficient logging [CWE-778] vulnerability in FortiSandbox versions 4.0.0 to 4.0.2, 3.2.0 to 3.2.3 and 3.1.0 to 3.1.5 and FortiDeceptor versions 4.2.0, 4.1.0 through 4.1.1, 4.0.0 through 4.0.2, 3.3.0 through 3.3.3, 3.2.0 through 3.2.2,3.1.0 through 3.1.1 and 3.0.0 through 3.0.2 may allow a remote attacker to repeatedly enter incorrect credentials without causing a log entry, and with no limit on the number of failed authentication attempts.

Do I need to act?

-
0.22% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.7/10 Low
NETWORK / HIGH complexity

Affected Products (11)

Fortideceptor
Fortideceptor
Fortideceptor
Fortideceptor
Fortideceptor
Fortideceptor

Affected Vendors

Fortinet

References (2)

Patch https://fortiguard.com/psirt/FG-IR-21-170
Patch https://fortiguard.com/psirt/FG-IR-21-170
30
/ 100
moderate-risk
Severity 13/34 · Low
Exploitability 1/34 · Minimal
Exposure 16/34 · Moderate