Headline
CVE-2023-44249: Fortiguard
An authorization bypass through user-controlled key [CWE-639] vulnerability in Fortinet FortiManager version 7.4.0 and before 7.2.3 and FortiAnalyzer version 7.4.0 and before 7.2.3 allows a remote attacker with low privileges to read sensitive information via crafted HTTP requests.
** PSIRT Advisories**
FortiManager / FortiAnalyzer - Authorization bypass via key value controlled by user
Summary
An authorization bypass through user-controlled key [CWE-639] vulnerability in FortiManager & FortiAnalyzer may allow a remote attacker with low privileges to read sensitive information via crafted HTTP requests.
Major Version
Affected Products
Solutions
FortiManager 7.4
7.4.0
Upgrade to 7.4.1 or above
FortiManager 7.2
7.2.0 through 7.2.3
Upgrade to 7.2.4 or above
FortiManager 7.0
7.0 all versions
Migrate to a fixed release
FortiManager 6.4
6.4 all versions
Migrate to a fixed release
FortiManager 6.2
6.2 all versions
Migrate to a fixed release
FortiAnalyzer 7.4
7.4.0
Upgrade to 7.4.1 or above
FortiAnalyzer 7.2
7.2.0 through 7.2.3
Upgrade to 7.2.4 or above
FortiAnalyzer 7.0
7.0 all versions
Migrate to a fixed release
FortiAnalyzer 6.4
6.4 all versions
Migrate to a fixed release
FortiAnalyzer 6.2
6.2 all versions
Migrate to a fixed release
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool
Acknowledgement
Fortinet is pleased to thank security researchers Mickael Dorigny at Orange Cyberdéfense, Hélène Saliou, Frédéric Prevost, François-Xavier Picard and Orange CERT-CC at Orange group for discovering and reporting this vulnerability under responsible disclosure.
Timeline
2023-10-10: Initial publication