PSIRTLack of capacity to filter logs by administrator access
Summary
An Exposure of personal information to an unauthorized actor [CWE-359] in FortiManager, FortiAnalyzer & FortiAnalyzer-BigData may allow a privileged attacker with administrative read permissions to read event logs of another adom via crafted HTTP or HTTPs requests.
| Version | Affected | Solution |
|---|---|---|
| FortiAnalyzer 7.4 | 7.4.0 through 7.4.2 | Upgrade to 7.4.3 or above |
| FortiAnalyzer 7.2 | 7.2 all versions | Migrate to a fixed release |
| FortiAnalyzer 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiAnalyzer 6.4 | 6.4 all versions | Migrate to a fixed release |
| FortiAnalyzer 6.2 | 6.2 all versions | Migrate to a fixed release |
| FortiAnalyzer-BigData 7.2 | 7.2.0 through 7.2.5 | Upgrade to 7.2.6 or above |
| FortiAnalyzer-BigData 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiAnalyzer-BigData 6.4 | 6.4 all versions | Migrate to a fixed release |
| FortiAnalyzer-BigData 6.2 | 6.2 all versions | Migrate to a fixed release |
| FortiManager 7.4 | 7.4.0 through 7.4.2 | Upgrade to 7.4.3 or above |
| FortiManager 7.2 | 7.2 all versions | Migrate to a fixed release |
| FortiManager 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiManager 6.4 | 6.4 all versions | Migrate to a fixed release |
| FortiManager 6.2 | 6.2 all versions | Migrate to a fixed release |
Acknowledgement
Fortinet is pleased to thank Mickael Dorigny of Orange Cyberdefense and Frédric Prevost, François-Xavier Picard and Orange CERT-CC of Orange group for reporting this vulnerability under responsible disclosure.Timeline
2024-11-12: Initial publication2024-11-14: Adding Orange CERT-CC advisory as reference