Headline
CVE-2023-40717: Fortiguard
A use of hard-coded credentials vulnerability [CWE-798] in FortiTester 2.3.0 through 7.2.3 may allow an attacker who managed to get a shell on the device to access the database via shell commands.
** PSIRT Advisories**
FortiTester - Use of hardcoded password for the mongodb service
Summary
A use of hard-coded credentials vulnerability [CWE-798] in FortiTester may allow an attacker who managed to get a shell on the device to access the database via shell commands.
Affected Products
FortiTester 7.2 all versions
FortiTester 7.1 all versions
FortiTester 7.0 all versions
FortiTester 4.2 all versions
FortiTester 4.1 all versions
FortiTester 4.0 all versions
FortiTester 3.9 all versions
FortiTester 3.8 all versions
FortiTester 3.7 all versions
FortiTester 3.6 all versions
FortiTester 3.5 all versions
FortiTester 3.4 all versions
FortiTester 3.3 all versions
FortiTester 3.2 all versions
FortiTester 3.1 all versions
FortiTester 3.0 all versions
FortiTester 2.9 all versions
FortiTester 2.8 all versions
FortiTester 2.7 all versions
FortiTester 2.6 all versions
FortiTester 2.5 all versions
FortiTester 2.4 all versions
FortiTester 2.3 all versions
Solutions
Please upgrade to FortiTester version 7.3.0 or above
Acknowledgement
Internally discovered and reported by Wilfried Djettchou of Fortinet Product Security team.
Timeline
2023-09-01: Initial publication