IR Number FG-IR-20-177
Date Jan 4, 2021
Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High
CVSSv3 Score 8.6
Impact Execute unauthorized code or commands
CVE ID CVE-2020-29017
Affected Products
FortiDeceptor : 4.0.0, 3.3.1, 3.3.0, 3.2.1, 3.2.0, 3.1.1, 3.1.0, 3.0.2, 3.0.1, 3.0.0, 2.1.0, 2.0.0, 1.1.0, 1.0.1, 1.0.0
CVRF Download

PSIRT Advisories

FortiDeceptor - OS command injection vulnerabilities

Summary

Multiple OS command injection vulnerabilities in FortiDeceptor management interface may allow an authenticated user to execute arbitrary commands on the system via specifically crafted web requests.

Affected Products

FortiDeceptor version 4.0.0.
FortiDeceptor versions 3.3.1 and below.
FortiDeceptor versions 3.2.1 and below.
FortiDeceptor versions 3.1.x.
FortiDeceptor versions 3.0.x
FortiDeceptor versions 1.x.

 

Solutions

Please upgrade to FortiDeceptor versions 4.1.0 or above.
Please upgrade to FortiDeceptor versions 3.3.2 or above.
Please upgrade to FortiDeceptor versions 3.2.2 or above.

Acknowledgement

Fortinet is pleased to thank Chua Wei Kiat for finding and reporting this issue.