Headline
CVE-2023-41838: Fortiguard
An improper neutralization of special elements used in an os command (‘os command injection’) in FortiManager 7.4.0 and 7.2.0 through 7.2.3 may allow attacker to execute unauthorized code or commands via FortiManager cli.
** PSIRT Advisories**
FortiManager & FortiAnalyzer - Arbitrary file deletion
Summary
An improper neutralization of special elements used in an OS Command [CWE-22] in FortiManager and FortiAnalyzer may allow a low authenticated attacker to delete arbitrary files via the CLI.
Major Version
Affected Products
Solutions
FortiAnalyzer 7.4
7.4.0
Upgrade to 7.4.1 or above
FortiAnalyzer 7.2
7.2.0 through 7.2.3
Upgrade to 7.2.4 or above
FortiAnalyzer 7.0
7.0.0 through 7.0.8
Upgrade to 7.0.9 or above
FortiAnalyzer 6.4
6.4.0 through 6.4.12
Upgrade to 6.4.13 or above
FortiAnalyzer 6.2
6.2.0 through 6.2.11
Upgrade to 6.2.12 or above
FortiManager 7.4
7.4.0
Upgrade to 7.4.1 or above
FortiManager 7.2
7.2.0 through 7.2.3
Upgrade to 7.2.4 or above
FortiManager 7.0
7.0.0 through 7.0.8
Upgrade to 7.0.9 or above
FortiManager 6.4
6.4.0 through 6.4.12
Upgrade to 6.4.13 or above
FortiManager 6.2
6.2.0 through 6.2.11
Upgrade to 6.2.12 or above
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool
Acknowledgement
Internally discovered and reported by Adham El karn of Fortinet Product Security team.
Timeline
2023-10-02: Initial publication