Glassfish local credentials stored in plain text

Summary

An improper authentification vulnerability [CWE-287] in FortiSIEM may allow a local attacker with CLI access to perform operations on the Glassfish server directly via a hardcoded password.

Affected Products

At least
FortiSIEM 6.4 all versions
FortiSIEM 6.3 all versions
FortiSIEM 6.2 all versions
FortiSIEM 6.1 all versions
FortiSIEM 5.4 all versions
FortiSIEM 5.3 all versions
FortiSIEM 5.2 all versions
FortiSIEM 5.1 all versions
FortiSIEM 5.0 all versions

Solutions

Please upgrade to FortiSIEM version 6.5.0 or above

Acknowledgement

Fortinet is pleased to thank Victor Pasman and James Reno for reporting this vulnerability under responsible disclosure.

Timeline

2022-11-01: Initial publication