{"api_version":"1","generated_at":"2026-04-23T04:12:07+00:00","cve":"CVE-2022-39954","urls":{"html":"https://cve.report/CVE-2022-39954","api":"https://cve.report/api/cve/CVE-2022-39954.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-39954","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-39954"},"summary":{"title":"CVE-2022-39954","description":"An improper restriction of xml external entity reference in Fortinet FortiNAC version 9.4.0 through 9.4.1, FortiNAC version 9.2.0 through 9.2.7, FortiNAC version 9.1.0 through 9.1.8, FortiNAC version 8.8.0 through 8.8.11, FortiNAC version 8.7.0 through 8.7.6, FortiNAC version 8.6.0 through 8.6.5, FortiNAC version 8.5.0 through 8.5.4, FortiNAC version 8.3.7 allows attacker to read arbitrary files or trigger a denial of service via specifically crafted XML documents.","state":"PUBLIC","assigner":"psirt@fortinet.com","published_at":"2023-02-16 19:15:00","updated_at":"2023-11-07 03:50:00"},"problem_types":["CWE-611"],"metrics":[],"references":[{"url":"https://fortiguard.com/psirt/FG-IR-22-304","name":"https://fortiguard.com/psirt/FG-IR-22-304","refsource":"MISC","tags":[],"title":"","mime":"","httpstatus":"-1","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-39954","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39954","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"39954","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"fortinet","cpe5":"fortinac","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"39954","vulnerable":"1","versionEndIncluding":"9.2.7","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"fortinet","cpe5":"fortinac","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"39954","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"fortinet","cpe5":"fortinac-f","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2022-39954","ASSIGNER":"psirt@fortinet.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"An improper restriction of xml external entity reference in Fortinet FortiNAC version 9.4.0 through 9.4.1, FortiNAC version 9.2.0 through 9.2.7, FortiNAC version 9.1.0 through 9.1.8, FortiNAC version 8.8.0 through 8.8.11, FortiNAC version 8.7.0 through 8.7.6, FortiNAC version 8.6.0 through 8.6.5, FortiNAC version 8.5.0 through 8.5.4, FortiNAC version 8.3.7 allows attacker to read arbitrary files or trigger a denial of service via specifically crafted XML documents."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Information disclosure","cweId":"CWE-611"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Fortinet","product":{"product_data":[{"product_name":"FortiNAC","version":{"version_data":[{"version_affected":"<=","version_name":"9.4.0","version_value":"9.4.1"},{"version_affected":"<=","version_name":"9.2.0","version_value":"9.2.7"},{"version_affected":"<=","version_name":"9.1.0","version_value":"9.1.8"},{"version_affected":"<=","version_name":"8.8.0","version_value":"8.8.11"},{"version_affected":"<=","version_name":"8.7.0","version_value":"8.7.6"},{"version_affected":"<=","version_name":"8.6.0","version_value":"8.6.5"},{"version_affected":"<=","version_name":"8.5.0","version_value":"8.5.4"},{"version_affected":"=","version_value":"8.3.7"}]}}]}}]}},"references":{"reference_data":[{"url":"https://fortiguard.com/psirt/FG-IR-22-304","refsource":"MISC","name":"https://fortiguard.com/psirt/FG-IR-22-304"}]},"solution":[{"lang":"en","value":"Please upgrade to FortiNAC version 9.4.2 or above\r\nPlease upgrade to FortiNAC version 7.2.0 or above"}],"impact":{"cvss":[{"version":"3.1","attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":6.9,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:U/RC:C"}]}},"nvd":{"publishedDate":"2023-02-16 19:15:00","lastModifiedDate":"2023-11-07 03:50:00","problem_types":["CWE-611"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":9.1,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.2}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:fortinet:fortinac-f:*:*:*:*:*:*:*:*","versionEndExcluding":"7.2.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:fortinet:fortinac:*:*:*:*:*:*:*:*","versionStartIncluding":"9.4.0","versionEndExcluding":"9.4.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:fortinet:fortinac:*:*:*:*:*:*:*:*","versionStartIncluding":"8.3.7","versionEndIncluding":"9.2.7","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}