Use of hardcoded key for the JWT token
Summary
A use of hard-coded cryptographic key vulnerability [CWE-321] in FortiDDoS API may allow an attacker who managed to retrieve the key from one device to sign JWT tokens for any device.
Affected Products
FortiDDoS 5.5 all versions
FortiDDoS version 5.4.0 through 5.4.2
FortiDDoS version 5.3.0 through 5.3.1
FortiDDoS 5.2 all versions
FortiDDoS 5.1 all versions
Solutions
Please upgrade to upcoming FortoDDoS 5.6.0 or above.