Headline
CVE-2022-42477: Fortiguard
An improper input validation vulnerability [CWE-20] in FortiAnalyzer version 7.2.1 and below, version 7.0.6 and below, 6.4 all versions may allow an authenticated attacker to disclose file system information via custom dataset SQL queries.
** PSIRT Advisories**
FortiAnalyzer - Improper input validation in custom dataset
Summary
An improper input validation vulnerability [CWE-20] in FortiAnalyzer may allow an authenticated attacker to disclose file system information via custom dataset SQL queries.
Affected Products
FortiAnalyzer version 7.2.1 and below,
FortiAnalyzer version 7.0.6 and below,
FortiAnalyzer 6.4 all versions.
Solutions
Please upgrade to FortiAnalyzer version 7.2.2 or above
Please upgrade to FortiAnalyzer version 7.0.7 or above
Acknowledgement
Fortinet is pleased to thank Darmin Blazevic (Fujitsu Services GmbH) for bringing this issue to our attention under responsible disclosure.
Timeline
2023-03-23: Initial publication