FortiTester - Use of hardcoded password for the mongodb service

Summary

A use of hard-coded credentials vulnerability [CWE-798] in FortiTester may allow an attacker who managed to get a shell on the device to access the database via shell commands.

Version Affected Solution
FortiTester 7.3 Not affected Not Applicable
FortiTester 7.2 7.2 all versions Migrate to a fixed release
FortiTester 7.1 7.1 all versions Migrate to a fixed release
FortiTester 7.0 7.0 all versions Migrate to a fixed release
FortiTester 4.2 4.2 all versions Migrate to a fixed release
FortiTester 4.1 4.1 all versions Migrate to a fixed release
FortiTester 4.0 4.0 all versions Migrate to a fixed release
FortiTester 3.9 3.9 all versions Migrate to a fixed release
FortiTester 3.8 3.8 all versions Migrate to a fixed release
FortiTester 3.7 3.7 all versions Migrate to a fixed release
FortiTester 3.6 3.6 all versions Migrate to a fixed release
FortiTester 3.5 3.5 all versions Migrate to a fixed release
FortiTester 3.4 3.4 all versions Migrate to a fixed release
FortiTester 3.3 3.3 all versions Migrate to a fixed release
FortiTester 3.2 3.2 all versions Migrate to a fixed release
FortiTester 3.1 3.1 all versions Migrate to a fixed release
FortiTester 3.0 3.0 all versions Migrate to a fixed release
FortiTester 2.9 2.9 all versions Migrate to a fixed release
FortiTester 2.8 2.8 all versions Migrate to a fixed release
FortiTester 2.7 2.7 all versions Migrate to a fixed release
FortiTester 2.6 2.6 all versions Migrate to a fixed release
FortiTester 2.5 2.5 all versions Migrate to a fixed release
FortiTester 2.4 2.4 all versions Migrate to a fixed release
FortiTester 2.3 2.3 all versions Migrate to a fixed release

Acknowledgement

Internally discovered and reported by Wilfried Djettchou of Fortinet Product Security team.

Timeline

2023-09-01: Initial publication