PSIRT Advisories

FortiSOAR - PostgreSQL DB access to local users

Summary

A missing authentication for critical function [CWE-306] vulnerabilty in FortiSOAR's Postgres database may allow a local attacker to access sensitive information via logging into the database using a privileged account without a password.

Affected Products

FortiSOAR version 7.2.0 through 7.2.2
FortiSOAR version 7.0.0 through 7.0.3
FortiSOAR version 6.4.0 through 6.4.4

Solutions

Please upgrade to upcoming FortiSOAR version 7.3.0 or above

Acknowledgement

Fortinet is pleased to thank Alok Agarwal from Fortinet's Dev team.