CVE-2022-45856

Description

An improper certificate validation vulnerability [CWE-295] in FortiClientWindows 6.4 all versions, 7.0.0 through 7.0.7, FortiClientMac 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientLinux 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientAndroid 6.4 all versions, 7.0 all versions, 7.2.0 and FortiClientiOS 5.6 all versions, 6.0.0 through 6.0.1, 7.0.0 through 7.0.6 SAML SSO feature may allow an unauthenticated attacker to man-in-the-middle the communication between the FortiClient and both the service provider and the identity provider.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Physical

Unchanged

Changed

Affected products

fortinet / FortiClientAndroid7.2.0 – 7.2.0
fortinet / FortiClientAndroid7.0.6 – 7.0.7
fortinet / FortiClientAndroid7.0.2 – 7.0.3
fortinet / FortiClientAndroid7.0.0 – 7.0.0
fortinet / FortiClientAndroid6.4.6 – 6.4.6
fortinet / FortiClientAndroid6.4.4 – 6.4.4
fortinet / FortiClientAndroid6.4.1 – 6.4.1
fortinet / FortiClientAndroid6.0.0 – 6.0.0
fortinet / FortiClientAndroid5.6.0 – 5.6.0
fortinet / FortiClientAndroid5.4.0 – 5.4.2
fortinet / FortiClientAndroid5.2.0 – 5.2.8
fortinet / FortiClientAndroid5.0.0 – 5.0.3
fortinet / forticlientios7.0.6 – 7.0.6
fortinet / forticlientios5.4.3 – 5.4.3
fortinet / forticlientios5.4.1 – 5.4.1
fortinet / forticlientios5.4.0 – 5.4.0
fortinet / forticlientios5.2.3 – 5.2.3
fortinet / forticlientios5.2.2 – 5.2.2
fortinet / forticlientios5.2.1 – 5.2.1
fortinet / forticlientios5.2.0 – 5.2.0
fortinet / forticlientios5.0.3 – 5.0.3
fortinet / forticlientios5.0.2 – 5.0.2
fortinet / forticlientios5.0.1 – 5.0.1
fortinet / forticlientios5.0.0 – 5.0.0
fortinet / forticlientios4.0.2 – 4.0.2
fortinet / forticlientios4.0.1 – 4.0.1
fortinet / forticlientios4.0.0 – 4.0.0
fortinet / forticlientios2.0.1 – 2.0.1
fortinet / forticlientios2.0.0 – 2.0.0
fortinet / forticlientios5.4.4 – 5.4.4
fortinet / forticlientios7.0.5 – 7.0.5
fortinet / forticlientios7.0.4 – 7.0.4
fortinet / forticlientios7.0.3 – 7.0.3
fortinet / forticlientios7.0.1 – 7.0.1
fortinet / forticlientios7.0.0 – 7.0.0
fortinet / forticlientios6.0.1 – 6.0.1
fortinet / forticlientios6.0.0 – 6.0.0
fortinet / forticlientios5.6.6 – 5.6.6
fortinet / forticlientios5.6.5 – 5.6.5
fortinet / forticlientios5.6.1 – 5.6.1
fortinet / forticlientios5.6.0 – 5.6.0
fortinet / forticlientlinux7.0.0 – 7.0.13
fortinet / forticlientlinux6.4.7 – 6.4.9
fortinet / forticlientlinux6.4.0 – 6.4.4
fortinet / forticlientlinux7.2.0 – 7.2.4
fortinet / forticlientmac7.2.0 – 7.2.4
fortinet / forticlientmac7.0.0 – 7.0.13
fortinet / forticlientmac6.4.0 – 6.4.10
fortinet / forticlientwindows7.0.0 – 7.0.7
fortinet / forticlientwindows6.4.0 – 6.4.10

References

VENDOR_ADVISORYhttps://fortiguard.fortinet.com/psirt/FG-IR-22-230