PSIRT Advisories

FortiAnalyzer & FortiManager - Forticloud credentials observed in cleartext in the logfile

Summary

An information disclosure vulnerability [CWE-200] in FortiAnalyzer and FortiManager VM may allow an authenticated attacker to read the FortiCloud credentials which were used to activate the trial license in cleartext.

Affected Products

FortiManager version 7.0.0.
FortiManager versions 6.4.6 and below.
 

FortiAnalyzer version 7.0.0.
FortiAnalyzer versions 6.4.6 and below.

Solutions

Please upgrade to FortiManager version 6.4.7 or above.
Please upgrade to FortiManager version 7.0.1 or above.

 

Please upgrade to FortiAnalyzer version 6.4.7 or above.
Please upgrade to FortiAnalyzer version 7.0.1 or above.

Acknowledgement

Fortinet is pleased to thank Evgenii Erinskii from the Technical Support Team for reporting this vulnerability under responsible disclosure.