PostgreSQL DB access to local users

Summary

A missing authentication for critical function [CWE-306] vulnerabilty in FortiSOAR's Postgres database may allow a local attacker to access sensitive information via logging into the database using a privileged account without a password.

Affected Products

FortiSOAR on-premise 7.3 all versions are not affected
FortiSOAR on-premise 7.2 all versions
FortiSOAR on-premise 7.0 all versions
FortiSOAR on-premise 6.4 all versions

Solutions

Please upgrade to upcoming FortiSOAR version 7.3.0 or above

Acknowledgement

Fortinet is pleased to thank Alok Agarwal from Fortinet's Dev team.

Timeline

2022-11-01: Initial publication