FortiClient - Information disclosure of folders to exclude from scanning

Summary

An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiClient for Windows, Linux and Mac, may allow a local authenticated attacker with no Administrative privileges to retrieve the list of files or folders excluded from malware scanning.

Version Affected Solution
FortiClientLinux 7.2 7.2.0 Upgrade to 7.2.1 or above
FortiClientLinux 7.0 7.0 all versions Migrate to a fixed release
FortiClientLinux 6.4 6.4 all versions Migrate to a fixed release
FortiClientLinux 6.2 6.2 all versions Migrate to a fixed release
FortiClientMac 7.2 7.2.0 through 7.2.1 Upgrade to 7.2.2 or above
FortiClientMac 7.0 7.0 all versions Migrate to a fixed release
FortiClientMac 6.4 6.4 all versions Migrate to a fixed release
FortiClientMac 6.2 6.2 all versions Migrate to a fixed release
FortiClientWindows 7.2 7.2.0 Upgrade to 7.2.1 or above
FortiClientWindows 7.0 7.0 all versions Migrate to a fixed release
FortiClientWindows 6.4 6.4 all versions Migrate to a fixed release
FortiClientWindows 6.2 6.2 all versions Migrate to a fixed release

Acknowledgement

Fortinet is pleased to thank Alwin Warringa from Ordina for reporting this vulnerability under responsible disclosure.

Timeline

2023-10-05: Initial publication