FortiManager - Informative error messages

Summary

An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiManager, FortiAnalyzer & FortiAnalyzer-BigData may allow an adom administrator to enumerate other adoms and device names via crafted HTTP or HTTPS requests.

Version Affected Solution
FortiAnalyzer 7.4 7.4.0 through 7.4.1 Upgrade to 7.4.2 or above
FortiAnalyzer 7.2 7.2.0 through 7.2.3 Upgrade to 7.2.4 or above
FortiAnalyzer 7.0 7.0.0 through 7.0.11 Update to 7.0.12 or above
FortiAnalyzer 6.4 6.4 all versions Migrate to a fixed release
FortiAnalyzer 6.2 6.2 all versions Migrate to a fixed release
FortiAnalyzer-BigData 7.4 Not affected Not Applicable
FortiAnalyzer-BigData 7.2 7.2.0 through 7.2.5 Upgrade to 7.2.6 or above
FortiAnalyzer-BigData 7.0 7.0 all versions Migrate to a fixed release
FortiAnalyzer-BigData 6.4 6.4 all versions Migrate to a fixed release
FortiAnalyzer-BigData 6.2 6.2 all versions Migrate to a fixed release
FortiManager 7.4 7.4.0 through 7.4.1 Upgrade to 7.4.2 or above
FortiManager 7.2 7.2.0 through 7.2.3 Upgrade to 7.2.4 or above
FortiManager 7.0 7.0.0 through 7.0.11 Update to 7.0.12 or above
FortiManager 6.4 6.4 all versions Migrate to a fixed release
FortiManager 6.2 6.2 all versions Migrate to a fixed release

Acknowledgement

Fortinet is pleased to thanks Mickael Dorigny at Orange Cyberdefense and Frédéric Prevost, François-Xavier Picard and Orange CERT-CC at Orange group for reporting this vulnerability under responsible disclosure.

Timeline

2024-02-01: Initial publication
2024-04-08: Adding fix for FortiAnalyzer 7.0 and FortiManager 7.0