FortiAuthenticator, FortiDeceptor & FortiMail - Improper restriction over excessive authenticationĀ attempts
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-20-078
Final
1
1
2023-03-07T00:00:00
Current version
2023-03-07T00:00:00
2023-03-07T00:00:00
An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiAuthenticator, FortiDeceptor & FortiMail may allow a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form.
None
Denial of service
FortiAuthenticator version 6.4 all versionsFortiAuthenticator version 6.3 all versionsFortiAuthenticator version 6.2 all versionsFortiAuthenticator version 6.1 all versionsFortiAuthenticator version 6.0 all versionsFortiAuthenticator version 5.5 all versionsFortiAuthenticator version 5.4 all versionsFortiDeceptor version 3.1 all versionsFortiDeceptor version 3.0 all versionsFortiDeceptor version 2.1 all versionsFortiDeceptor version 2.0 all versionsFortiDeceptor version 1.1 all versionsFortiDeceptor version 1.0 all versionsFortiMail version 6.4.0FortiMail version 6.2.1 through 6.2.4FortiMail version 6.0.0 through 6.0.9
Please upgrade to FortiAuthenticator version 6.5.0 or above,Please upgrade to FortiDeceptor version 3.2.0 or above.Please upgrade to FortiMail version 6.4.1 or above,Please upgrade to FortiMail version 6.2.5 or above,Please upgrade to FortiMail version 6.0.10 or above.
Fortinet is pleased to thank Danilo Costa from Conviso Application Security who reported this vulnerability under responsible disclosure.
FortiAuthenticator 6.4.9
FortiAuthenticator 6.4.8
FortiAuthenticator 6.4.7
FortiAuthenticator 6.4.6
FortiAuthenticator 6.4.5
FortiAuthenticator 6.4.4
FortiAuthenticator 6.4.3
FortiAuthenticator 6.4.2
FortiAuthenticator 6.4.1
FortiAuthenticator 6.4.0
FortiAuthenticator 6.3.4
FortiAuthenticator 6.3.3
FortiAuthenticator 6.3.2
FortiAuthenticator 6.3.1
FortiAuthenticator 6.3.0
FortiAuthenticator 6.2.2
FortiAuthenticator 6.2.1
FortiAuthenticator 6.2.0
FortiAuthenticator 6.1.3
FortiAuthenticator 6.1.2
FortiAuthenticator 6.1.1
FortiAuthenticator 6.1.0
FortiAuthenticator 6.0.8
FortiAuthenticator 6.0.7
FortiAuthenticator 6.0.6
FortiAuthenticator 6.0.5
FortiAuthenticator 6.0.4
FortiAuthenticator 6.0.3
FortiAuthenticator 6.0.2
FortiAuthenticator 6.0.1
FortiAuthenticator 6.0.0
FortiAuthenticator 5.5.0
FortiAuthenticator 5.4.1
FortiAuthenticator 5.4.0
FortiAuthenticator 5.3.1
FortiAuthenticator 5.3.0
FortiAuthenticator 5.2.2
FortiAuthenticator 5.2.1
FortiAuthenticator 5.2.0
FortiAuthenticator 5.1.2
FortiAuthenticator 5.1.1
FortiAuthenticator 5.1.0
FortiDeceptor 3.1.1
FortiDeceptor 3.1.0
FortiDeceptor 3.0.2
FortiDeceptor 3.0.1
FortiDeceptor 3.0.0
FortiDeceptor 2.1.0
FortiDeceptor 2.0.0
FortiDeceptor 1.1.0
FortiDeceptor 1.0.1
FortiDeceptor 1.0.0
FortiMail 6.4.0
FortiMail 6.2.4
FortiMail 6.2.3
FortiMail 6.2.2
FortiMail 6.2.1
FortiMail 6.0.9
FortiMail 6.0.8
FortiMail 6.0.7
FortiMail 6.0.6
FortiMail 6.0.5
FortiMail 6.0.4
FortiMail 6.0.3
FortiMail 6.0.2
FortiMail 6.0.1
FortiMail 6.0.0
FortiMail 5.4.12
FortiMail 5.4.11
FortiMail 5.4.10
FortiMail 5.4.9
FortiMail 5.4.8
FortiMail 5.4.7
FortiMail 5.4.6
FortiMail 5.4.5
FortiMail 5.4.4
FortiMail 5.4.3
FortiMail 5.4.2
FortiMail 5.4.1
FortiMail 5.4.0
FortiAuthenticator, FortiDeceptor & FortiMail - Improper restriction over excessive authenticationĀ attempts
CVE-2022-29056
CVE-2023-26208
CVE-2023-26209
FortiAuthenticator-6.4.9
FortiAuthenticator-6.4.8
FortiAuthenticator-6.4.7
FortiAuthenticator-6.4.6
FortiAuthenticator-6.4.5
FortiAuthenticator-6.4.4
FortiAuthenticator-6.4.3
FortiAuthenticator-6.4.2
FortiAuthenticator-6.4.1
FortiAuthenticator-6.4.0
FortiAuthenticator-6.3.4
FortiAuthenticator-6.3.3
FortiAuthenticator-6.3.2
FortiAuthenticator-6.3.1
FortiAuthenticator-6.3.0
FortiAuthenticator-6.2.2
FortiAuthenticator-6.2.1
FortiAuthenticator-6.2.0
FortiAuthenticator-6.1.3
FortiAuthenticator-6.1.2
FortiAuthenticator-6.1.1
FortiAuthenticator-6.1.0
FortiAuthenticator-6.0.8
FortiAuthenticator-6.0.7
FortiAuthenticator-6.0.6
FortiAuthenticator-6.0.5
FortiAuthenticator-6.0.4
FortiAuthenticator-6.0.3
FortiAuthenticator-6.0.2
FortiAuthenticator-6.0.1
FortiAuthenticator-6.0.0
FortiAuthenticator-5.5.0
FortiAuthenticator-5.4.1
FortiAuthenticator-5.4.0
FortiAuthenticator-5.3.1
FortiAuthenticator-5.3.0
FortiAuthenticator-5.2.2
FortiAuthenticator-5.2.1
FortiAuthenticator-5.2.0
FortiAuthenticator-5.1.2
FortiAuthenticator-5.1.1
FortiAuthenticator-5.1.0
FortiDeceptor-3.1.1
FortiDeceptor-3.1.0
FortiDeceptor-3.0.2
FortiDeceptor-3.0.1
FortiDeceptor-3.0.0
FortiDeceptor-2.1.0
FortiDeceptor-2.0.0
FortiDeceptor-1.1.0
FortiDeceptor-1.0.1
FortiDeceptor-1.0.0
FortiMail-6.4.0
FortiMail-6.2.4
FortiMail-6.2.3
FortiMail-6.2.2
FortiMail-6.2.1
FortiMail-6.0.9
FortiMail-6.0.8
FortiMail-6.0.7
FortiMail-6.0.6
FortiMail-6.0.5
FortiMail-6.0.4
FortiMail-6.0.3
FortiMail-6.0.2
FortiMail-6.0.1
FortiMail-6.0.0
FortiMail-5.4.12
FortiMail-5.4.11
FortiMail-5.4.10
FortiMail-5.4.9
FortiMail-5.4.8
FortiMail-5.4.7
FortiMail-5.4.6
FortiMail-5.4.5
FortiMail-5.4.4
FortiMail-5.4.3
FortiMail-5.4.2
FortiMail-5.4.1
FortiMail-5.4.0
3.5
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:X
https://fortiguard.fortinet.com/psirt/FG-IR-20-078
FortiAuthenticator, FortiDeceptor & FortiMail - Improper restriction over excessive authenticationĀ attempts
Reference>