Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-42474: Fortiguard

A relative path traversal vulnerability [CWE-23] in Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.9 and before 6.4.12, FortiProxy version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.7, FortiSwitchManager version 7.2.0 through 7.2.1 and before 7.0.1 allows an privileged attacker to delete arbitrary directories from the filesystem through crafted HTTP requests.

CVE
#vulnerability#ios

** PSIRT Advisories**

FortiOS, FortiProxy & FortiSwitchManager - Path traversal vulnerability in administrative interface

Summary

A relative path traversal vulnerability [CWE-23] in FortiOS, FortiProxy & FortiSwitchManager administrative interface may allow a privileged attacker to delete arbitrary directories from the filesystem through crafted HTTP requests.

Affected Products

FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.9
FortiOS version 6.4.0 through 6.4.12
FortiOS 6.2 all versions
FortiSwitchManager version 7.2.0 through 7.2.1
FortiSwitchManager version 7.0.0 through 7.0.1
FortiProxy version 7.2.0 through 7.2.1
FortiProxy version 7.0.0 through 7.0.7
FortiProxy version 2.0.0 through 2.0.11
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions
FortiProxy 1.0 all versions

Solutions

Please upgrade to FortiOS version 7.4.0 or above
Please upgrade to FortiOS version 7.2.4 or above
Please upgrade to FortiOS version 7.0.10 or above
Please upgrade to FortiOS version 6.4.13 or above
Please upgrade to FortiSwitchManager version 7.2.2 or above
Please upgrade to FortiSwitchManager version 7.0.2 or above
Please upgrade to FortiProxy version 7.2.2 or above
Please upgrade to FortiProxy version 7.0.8 or above
Please upgrade to FortiProxy version 2.0.12 or above

Acknowledgement

Internally discovered and reported by Théo Leleu of Fortinet Product Security team.

Timeline

2023-06-09: Initial publication

Related news

Attackers Are Probing for Zero-Day Vulns in Edge Infrastructure Products

Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907