virus logo PSIRT

FortiWeb - Unauthorized Configuration Download Vulnerability

Summary

An unauthorized configuration download vulnerability [CWE-285] in FortiWeb may allow a local attacker to access confidential configuration files via a crafted http request.

Affected Products

FortiWeb 7.2 all versions are not affected
FortiWeb version 7.0.0 through 7.0.4
FortiWeb 6.4 all versions
FortiWeb version 6.3.6 through 6.3.23

Solutions

Please upgrade to FortiWeb version 7.0.5 or above.
Please upgrade to FortiWeb version 7.2.0 or above.

Acknowledgement

Internally discovered and reported by Yonghui Han of Fortinet IPS team.

Timeline

2023-02-16: Initial publication

IR Number FG-IR-22-460
Published Date Feb 16, 2023
Severity Medium
CVSSv3 Score 6.6
Impact Execute unauthorized code or commands
CVE ID
Download

CVRF