Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-23443: Fortiguard

An improper access control in Fortinet FortiSOAR before 7.2.0 allows unauthenticated attackers to access gateway API data via crafted HTTP GET requests.

CVE
#vulnerability#nginx#auth#ssh

IR Number

FG-IR-22-041

Date

May 3, 2022

Severity

 Medium

CVSSv3 Score

6.8

Impact

Information disclosure

CVE ID

CVE-2022-23443

Affected Products

FortiSOAR : 7.0.2, 7.0.1, 7.0.0, 6.4.4, 6.4.3, 6.4.1, 6.4.0

CVRF

Download

  • Refine Search

** PSIRT Advisories**

FortiSOAR - Improper access control on gateway API

Summary

An improper access control vulnerability [CWE-284] in FortiSOAR may allow an unauthenticated attacker to access gateway API data via crafted HTTP GET requests.

Affected Products

FortiSOAR versions 7.0.2 and below,
FortiSOAR versions 6.4.4 and below,
FortiSOAR versions 6.0.0,
FortiSOAR versions 5.x.x

Solutions

Please upgrade to FortiSOAR version 7.2.0 or above.

OR

Install a security patch to fix this vulnerability on FortiSOAR affected versions as follows:
SSH to your FortiSOAR VM and log in as a root user.
Download the security patch file from the repository server using the following command:
wget https://update.cybersponse.com/patches/nginx-security-patch /> Update the permissions of the file and run the following commands to apply the patch:
sudo chmod 755 nginx-security-patch
sudo ./nginx-security-patch

Acknowledgement

Internally discovered and reported by the FortiSOAR development team.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907