CVE-2022-42476: 
FortiOS vulnerability analysis and mitigation

A relative path traversal vulnerability [CWE-23] was discovered in Fortinet FortiOS and FortiProxy systems, affecting multiple versions including FortiOS versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.8, 6.4.0 through 6.4.11, and 6.2.0 through 6.2.12, as well as FortiProxy versions 7.2.0 through 7.2.1, 7.0.0 through 7.0.7, 2.0.0 through 2.0.11, and all versions of 1.2 and 1.1. The vulnerability was internally discovered by Théo Leleu of Fortinet Product Security team and was publicly disclosed on March 7, 2023 (Fortinet Advisory).

The vulnerability is classified as a relative path traversal issue (CWE-23) that could allow privileged VDOM administrators to escalate their privileges to super admin of the system through crafted CLI requests. The vulnerability has been assigned a CVSS v3.1 base score of 8.2 (High), with the following vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. This indicates that while the attack requires local access and high privileges, it can lead to a complete compromise of system confidentiality, integrity, and availability (NVD).

The successful exploitation of this vulnerability allows privileged VDOM administrators to elevate their privileges to super admin status on the affected system. For FortiProxy versions 7.0.x, 2.0.x, 1.2.x, and 1.1.x, the impact is noted as minor since these versions do not have VDOM functionality (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to the following versions: FortiOS version 7.2.4 or above, 7.0.9 or above, 6.4.12 or above, or 6.2.13 or above; FortiProxy version 7.2.2 or above, 7.0.8 or above, or 2.0.12 or above (Fortinet Advisory).