First published: Tue Jul 11 2023(Updated: )
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-23] in FortiAnalyzer and FortiManager management interface 7.2.0 through 7.2.1, 7.0.0 through 7.0.5, 6.4 all versions may allow a remote and authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests.
Credit: psirt@fortinet.com psirt@fortinet.com
Affected Software | Affected Version | How to fix |
---|---|---|
Fortinet FortiAnalyzer | >=6.4.0<6.4.12 | |
Fortinet FortiAnalyzer | >=7.0.0<=7.0.5 | |
Fortinet FortiAnalyzer | >=7.2.0<7.2.2 | |
Fortinet FortiManager | >=6.4.0<6.4.12 | |
Fortinet FortiManager | >=7.0.0<=7.0.5 | |
Fortinet FortiManager | >=7.2.0<7.2.2 |
Please upgrade to FortiManager version 7.2.2 or above Please upgrade to FortiManager version 7.0.7 or above Please upgrade to FortiManager version 6.4.12 or above Please upgrade to FortiAnalyzer version 7.2.2 or above Please upgrade to FortiAnalyzer version 7.0.7 or above Please upgrade to FortiAnalyzer version 6.4.12 or above
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-25606
An improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability
The severity of CVE-2023-25606 is medium with a CVSS score of 6.5.
FortiAnalyzer versions 6.4.0 to 6.4.12, 7.0.0 to 7.0.5, and 7.2.0 to 7.2.2, as well as FortiManager versions 6.4.0 to 6.4.12, 7.0.0 to 7.0.5, and 7.2.0 to 7.2.2 are affected by CVE-2023-25606.
A remote and authenticated attacker can exploit CVE-2023-25606 to retrieve arbitrary files from the vulnerable system.
Yes, you can find more information about CVE-2023-25606 at the following link: [FortiGuard Advisory FG-IR-22-471](https://fortiguard.com/psirt/FG-IR-22-471).