Web server ETag exposure


An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiOS may allow an unauthenticated attacker to fingerprint the device version via HTTP requests.

Version Affected Solution
FortiOS 7.4 7.4.0 through 7.4.1 Upgrade to 7.4.2 or above
FortiOS 7.2 7.2.0 through 7.2.5 Upgrade to 7.2.6 or above
FortiOS 7.0 7.0 all versions Migrate to a fixed release
FortiOS 6.4 6.4 all versions Migrate to a fixed release
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool


Fortinet is pleased to thank security researcher Andreas Korpås at Institute for Energy Technology SOC for discovering and reporting this vulnerability under responsible disclosure.


2024-04-09: Initial publication