PSIRT Advisories

FortiSOAR - Improper access control on gateway API

Summary

An improper access control vulnerability [CWE-284] in FortiSOAR may allow an unauthenticated attacker to access gateway API data via crafted HTTP GET requests.

Affected Products

FortiSOAR versions 7.0.2 and below, 
FortiSOAR versions 6.4.4 and below,
FortiSOAR versions 6.0.0,
FortiSOAR versions 5.x.x

Solutions

Please upgrade to FortiSOAR version 7.2.0 or above.

OR

Install a security patch to fix this vulnerability on FortiSOAR affected versions as follows:
SSH to your FortiSOAR VM and log in as a root user.
Download the security patch file from the repository server using the following command:
wget https://update.cybersponse.com/patches/nginx-security-patch /> Update the permissions of the file and run the following commands to apply the patch:
sudo chmod 755 nginx-security-patch
sudo ./nginx-security-patch

Acknowledgement

Internally discovered and reported by the FortiSOAR development team.