Improper restriction over excessive authentication attempts Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-20-078 Final 1 1 2023-03-07T00:00:00 Current version 2023-03-07T00:00:00 2023-03-07T00:00:00 An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiAuthenticator, FortiDeceptor & FortiMail may allow a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form. None Denial of service FortiAuthenticator version 6.4 all versionsFortiAuthenticator version 6.3 all versionsFortiAuthenticator version 6.2 all versionsFortiAuthenticator version 6.1 all versionsFortiAuthenticator version 6.0 all versionsFortiAuthenticator version 5.5 all versionsFortiAuthenticator version 5.4 all versionsFortiDeceptor version 3.1 all versionsFortiDeceptor version 3.0 all versionsFortiDeceptor version 2.1 all versionsFortiDeceptor version 2.0 all versionsFortiDeceptor version 1.1 all versionsFortiDeceptor version 1.0 all versionsFortiMail version 6.4.0FortiMail version 6.2.1 through 6.2.4FortiMail version 6.0.0 through 6.0.9 Please upgrade to FortiAuthenticator version 6.5.0 or above,Please upgrade to FortiDeceptor version 3.2.0 or above.Please upgrade to FortiMail version 6.4.1 or above,Please upgrade to FortiMail version 6.2.5 or above,Please upgrade to FortiMail version 6.0.10 or above. Fortinet is pleased to thank Danilo Costa from Conviso Application Security who reported this vulnerability under responsible disclosure. CVE-2022-29056 CVE-2023-26208 CVE-2023-26209 3.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-20-078 Improper restriction over excessive authentication attempts Reference>