CVE-2022-26115 - Vulnerability Details - OpenCVE

A use of password hash with insufficient computational effort vulnerability [CWE-916] in FortiSandbox before 4.2.0 may allow an attacker with access to the password database to efficiently mount bulk guessing attacks to recover the passwords.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Fortinet	Fortisandbox

Configuration 1 [-]

OR	cpe:2.3:a:fortinet:fortisandbox:3.2.0:::::::*
	cpe:2.3:a:fortinet:fortisandbox:3.2.1:::::::*
	cpe:2.3:a:fortinet:fortisandbox:3.2.2:::::::*
	cpe:2.3:a:fortinet:fortisandbox:3.2.3:::::::*
	cpe:2.3:a:fortinet:fortisandbox:4.0.0:::::::*
	cpe:2.3:a:fortinet:fortisandbox:4.0.1:::::::*
	cpe:2.3:a:fortinet:fortisandbox:4.0.2:::::::*

No data.

References

Link	Providers
https://fortiguard.com/psirt/FG-IR-20-220

History

Tue, 22 Oct 2024 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2023-02-16T18:07:32.040Z

Updated: 2024-10-22T20:49:13.825Z

Reserved: 2022-02-25T14:18:24.278Z

Link: CVE-2022-26115

Vulnrichment

Updated: 2024-08-03T04:56:37.500Z

NVD

Status : Modified

Published: 2023-02-16T19:15:12.047

Modified: 2024-11-21T06:53:27.627

Link: CVE-2022-26115

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-26115", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2022-02-25T14:18:24.278Z", "datePublished": "2023-02-16T18:07:32.040Z", "dateUpdated": "2024-10-22T20:49:13.825Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiSandbox", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "4.0.0", "lessThanOrEqual": "4.0.2", "status": "affected"}, {"versionType": "semver", "version": "3.2.0", "lessThanOrEqual": "3.2.3", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A use of password hash with insufficient computational effort vulnerability [CWE-916] in FortiSandbox before 4.2.0 may allow an attacker with access to the\u00a0password database to efficiently mount bulk guessing attacks to recover the passwords."}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2023-02-16T18:07:32.040Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-916", "description": "Execute unauthorized code or commands", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:X/RC:X"}}], "solutions": [{"lang": "en", "value": "Upgrade to FortiSandbox version 4.2.0 and above."}], "references": [{"name": "https://fortiguard.com/psirt/FG-IR-20-220", "url": "https://fortiguard.com/psirt/FG-IR-20-220"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:56:37.500Z"}, "title": "CVE Program Container", "references": [{"name": "https://fortiguard.com/psirt/FG-IR-20-220", "url": "https://fortiguard.com/psirt/FG-IR-20-220", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-22T20:18:30.750261Z", "id": "CVE-2022-26115", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T20:49:13.825Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://fortiguard.com/psirt/FG-IR-20-220", "name": "https://fortiguard.com/psirt/FG-IR-20-220", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:56:37.500Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-26115", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-22T20:18:30.750261Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T20:20:49.668Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:X/RC:X", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Fortinet", "product": "FortiSandbox", "versions": [{"status": "affected", "version": "4.0.0", "versionType": "semver", "lessThanOrEqual": "4.0.2"}, {"status": "affected", "version": "3.2.0", "versionType": "semver", "lessThanOrEqual": "3.2.3"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to FortiSandbox version 4.2.0 and above."}], "references": [{"url": "https://fortiguard.com/psirt/FG-IR-20-220", "name": "https://fortiguard.com/psirt/FG-IR-20-220"}], "descriptions": [{"lang": "en", "value": "A use of password hash with insufficient computational effort vulnerability [CWE-916] in FortiSandbox before 4.2.0 may allow an attacker with access to the\u00a0password database to efficiently mount bulk guessing attacks to recover the passwords."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-916", "description": "Execute unauthorized code or commands"}]}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2023-02-16T18:07:32.040Z"}}}, "cveMetadata": {"cveId": "CVE-2022-26115", "state": "PUBLISHED", "dateUpdated": "2024-10-22T20:49:13.825Z", "dateReserved": "2022-02-25T14:18:24.278Z", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "datePublished": "2023-02-16T18:07:32.040Z", "assignerShortName": "fortinet"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortisandbox:3.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "3DDB3490-E30F-45CC-81B7-EFB5C1A60DA7", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortisandbox:3.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "143DD85B-4CE7-409D-B215-6069D2EF33D0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortisandbox:3.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "53070F6A-CC5B-43C9-96F9-2C0930A8D3CE", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortisandbox:3.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "4B38F72A-A271-43FE-8FBF-02AB87BA9D47", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortisandbox:4.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "0260B512-77CA-4FE8-A039-D7B287A19BAA", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortisandbox:4.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "7D6CCD1A-3412-4A55-88A8-40B227FB00BA", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortisandbox:4.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "51A80522-EBFC-4C3E-BF38-01453CC359F7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A use of password hash with insufficient computational effort vulnerability [CWE-916] in FortiSandbox before 4.2.0 may allow an attacker with access to the\u00a0password database to efficiently mount bulk guessing attacks to recover the passwords."}], "id": "CVE-2022-26115", "lastModified": "2024-11-21T06:53:27.627", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "psirt@fortinet.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-16T19:15:12.047", "references": [{"source": "psirt@fortinet.com", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-20-220"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-20-220"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-916"}], "source": "psirt@fortinet.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-916"}], "source": "nvd@nist.gov", "type": "Primary"}]}