Insufficient logging and lack of limitation of failed authentication attempts Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-21-170 Final 1 1 2022-12-06T00:00:00 Current version 2022-12-06T00:00:00 2022-12-06T00:00:00 An insufficient logging [CWE-778] vulnerability in FortiSandbox and FortiDeceptor may allow a remote attacker to repeatedly enter incorrect credentials without causing a log entry, and with no limit on the number of failed authentication attempts. None Improper access control FortiSandbox version 3.1.0 through 3.1.5FortiSandbox version 3.2.0 through 3.2.3FortiSandbox version 4.0.0 through 4.0.2FortiDeceptor version 4.2.0FortiDeceptor version 4.1.0 through 4.1.1FortiDeceptor version 4.0.0 through 4.0.2FortiDeceptor version 3.3.0 through 3.3.3FortiDeceptor version 3.2.0 through 3.2.2FortiDeceptor version 3.1.0 through 3.1.1FortiDeceptor version 3.0.0 through 3.0.2 Please upgrade to FortiSandbox version 4.2.1 or abovePlease upgrade to FortiDeceptor version 4.3.0 or above Fortinet is pleased to thank Mohamed Elobeid for reporting this vulnerability under responsible disclosure. CVE-2022-30305 3.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:F/RL:X/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-21-170 Insufficient logging and lack of limitation of failed authentication attempts Reference>