Format string vulnerability in administrative interface
Summary
A use of externally-controlled format string vulnerability [CWE-134] in FortiManager, FortiAnalyzer, FortiAnalyzer-BigData & FortiPortal may allow a privileged attacker to execute unauthorized code or commands via specially crafted command arguments.
Affected Products
FortiManager version 7.4.0 through 7.4.1
FortiManager version 7.2.0 through 7.2.3
FortiManager 7.0 all versions
FortiManager 6.4 all versions
FortiManager 6.2 all versions
FortiAnalyzer version 7.4.0 through 7.4.1
FortiAnalyzer version 7.2.0 through 7.2.3
FortiAnalyzer 7.0 all versions
FortiAnalyzer 6.4 all versions
FortiAnalyzer 6.2 all versions
FortiAnalyzer-BigData version 7.2.0 through 7.2.5
FortiAnalyzer-BigData version 7.0.1 through 7.0.6
FortiAnalyzer-BigData version 6.4.5 through 6.4.7
FortiAnalyzer-BigData version 6.2.5
FortiPortal version 6.0.0 through 6.0.14
FortiPortal 5.3 all versions
Solutions
Please upgrade to FortiManager version 7.4.2 or above
Please upgrade to FortiManager version 7.2.4 or above
Please upgrade to FortiManager version 7.0.10 or above
Please upgrade to FortiAnalyzer-BigData version 7.4.0 or above
Please upgrade to FortiAnalyzer-BigData version 7.2.6 or above
Please upgrade to FortiPortal version 6.0.15 or above
Please upgrade to FortiAnalyzer version 7.4.2 or above
Please upgrade to FortiAnalyzer version 7.2.4 or above
Please upgrade to FortiAnalyzer version 7.0.10 or above
Acknowledgement
Internally discovered and reported by Diego Bernardelli from Fortinet's advanced TAC support team.Timeline
2024-03-07: Initial publication