CVE-2023-33306: Authenticated user null pointer dereference in SSL-VPN
First published: Fri Jun 16 2023(Updated: )
A null pointer dereference in Fortinet FortiOS before 7.2.5, before 7.0.11 and before 6.4.13, FortiProxy before 7.2.4 and before 7.0.10 allows attacker to denial of sslvpn service via specifically crafted request in bookmark parameter.
Credit: psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiProxy | >=7.0.0<7.0.10 | |
| Fortinet FortiProxy | >=7.2.0<7.2.4 | |
| Fortinet FortiOS | >=6.4.0<6.4.13 | |
| Fortinet FortiOS | >=7.0.0<7.0.11 | |
| Fortinet FortiOS | >=7.2.0<7.2.5 |
Remedy
Please upgrade to FortiOS version 7.4.0 or above Please upgrade to FortiOS version 7.2.5 or above Please upgrade to FortiOS version 7.0.11 or above Please upgrade to FortiOS version 6.4.13 or above Please upgrade to FortiProxy version 7.2.4 or above Please upgrade to FortiProxy version 7.2.3 or above Please upgrade to FortiProxy version 7.0.9 or above Please upgrade to FortiProxy version 7.0.10 or above
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-33306?
CVE-2023-33306 is a null pointer dereference vulnerability in Fortinet FortiOS, FortiProxy, and SSL VPN service.
How does CVE-2023-33306 affect Fortinet products?
CVE-2023-33306 affects Fortinet FortiOS versions before 7.2.5, before 7.0.11, and before 6.4.13. It also affects FortiProxy versions before 7.2.4 and before 7.0.10.
What is the severity of CVE-2023-33306?
CVE-2023-33306 has a severity rating of 6.5 (Medium).
How can an attacker exploit CVE-2023-33306?
An attacker can exploit CVE-2023-33306 by sending a specifically crafted request in the bookmark parameter, resulting in a denial of SSL VPN service.
Is there a fix for CVE-2023-33306?
Yes, Fortinet has released updates to address CVE-2023-33306. It is recommended to update to FortiOS 7.2.5, 7.0.11, or 6.4.13, or FortiProxy 7.2.4 or 7.0.10 to mitigate the vulnerability.
- agent/type
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/author
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/last-modified-date
- collector/fortiguard-psirt-latest
- source/FortiGuard
- alias/CVE-2023-33306
- collector/fortiguard-psirt
- alias/CVE-2023-33307
- agent/references
- agent/title
- agent/severity
- agent/description
- agent/first-publish-date
- agent/tags
- agent/event
- vendor/fortinet
- canonical/fortinet fortiproxy
- version/fortinet fortiproxy/7.0.0
- version/fortinet fortiproxy/7.2.0
- canonical/fortinet fortios
- version/fortinet fortios/6.4.0
- version/fortinet fortios/7.0.0
- version/fortinet fortios/7.2.0