CVE-2022-26122
Severity CVSS v4.0:
Pending analysis
Type:
CWE-345
Insufficient Verification of Data Authenticity
Publication date:
02/11/2022
Last modified:
04/11/2022
Description
An insufficient verification of data authenticity vulnerability [CWE-345] in FortiClient, FortiMail and FortiOS AV engines version 6.2.168 and below and version 6.4.274 and below may allow an attacker to bypass the AV engine via manipulating MIME attachment with junk and pad characters in base64.
Impact
Base Score 3.x
8.60
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:fortinet:antivirus_engine:0.4.23:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fortinet:antivirus_engine:2.0.49:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fortinet:antivirus_engine:2.0.60:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fortinet:antivirus_engine:4.4.54:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fortinet:antivirus_engine:6.33:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fortinet:antivirus_engine:6.137:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fortinet:antivirus_engine:6.142:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fortinet:antivirus_engine:6.144:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fortinet:antivirus_engine:6.145:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fortinet:antivirus_engine:6.156:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fortinet:antivirus_engine:6.157:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fortinet:antivirus_engine:6.243:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fortinet:antivirus_engine:6.252:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fortinet:antivirus_engine:6.253:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fortinet:fortimail:*:*:*:*:*:*:*:* | 6.0.0 (including) | 6.0.12 (including) |
To consult the complete list of CPE names with products and versions, see this page