Headline
CVE-2023-37939: Fortiguard
An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiClient for Windows 7.2.0, 7.0 all versions, 6.4 all versions, 6.2 all versions, Linux 7.2.0, 7.0 all versions, 6.4 all versions, 6.2 all versions and Mac 7.2.0 through 7.2.1, 7.0 all versions, 6.4 all versions, 6.2 all versions, may allow a local authenticated attacker with no Administrative privileges to retrieve the list of files or folders excluded from malware scanning.
** PSIRT Advisories**
FortiClient - Information disclosure of folders to exclude from scanning
Summary
An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiClient for Windows, Linux and Mac, may allow a local authenticated attacker with no Administrative privileges to retrieve the list of files or folders excluded from malware scanning.
Version
Affected
Solution
FortiClientMac 7.2
7.2.0 through 7.2.1
Upgrade to 7.2.2 or above
FortiClientMac 7.0
7.0 all versions
Migrate to a fixed release
FortiClientMac 6.4
6.4 all versions
Migrate to a fixed release
FortiClientMac 6.2
6.2 all versions
Migrate to a fixed release
FortiClientWindows 7.2
7.2.0
Upgrade to 7.2.1 or above
FortiClientWindows 7.0
7.0 all versions
Migrate to a fixed release
FortiClientWindows 6.4
6.4 all versions
Migrate to a fixed release
FortiClientWindows 6.2
6.2 all versions
Migrate to a fixed release
FortiClientLinux 7.2
7.2.0
Upgrade to 7.2.1 or above
FortiClientLinux 7.0
7.0 all versions
Migrate to a fixed release
FortiClientLinux 6.4
6.4 all versions
Migrate to a fixed release
FortiClientLinux 6.2
6.2 all versions
Migrate to a fixed release
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool
Acknowledgement
Fortinet is pleased to thank Alwin Warringa from Ordina for reporting this vulnerability under responsible disclosure.
Timeline
2023-10-05: Initial publication