CVE-2023-36639: Format String Bug in HTTPSd
First published: Tue Dec 12 2023(Updated: )
A format string vulnerability [CWE-134] in the HTTPSd daemon of FortiOS, FortiProxy and FortiPAM may allow an authenticated user to execute unauthorized code or commands via specially crafted API requests.
Credit: psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| FortiOS | =. | |
| FortiOS | >=7.2.0<=7.2.4 | |
| FortiOS | >=7.0.0<=7.0.11 | |
| FortiOS | >=6.4.0<=6.4.12 | |
| FortiOS | >=6.2.0<=6.2.15 | |
| FortiOS | >=6.0 | |
| FortiGuard FortiPAM | =. | |
| FortiGuard FortiPAM | >=1.0 | |
| Fortinet FortiProxy | >=7.2.0<=7.2.4 | |
| Fortinet FortiProxy | >=7.0.0<=7.0.10 | |
| Fortinet FortiProxy | >=7.0.0<=7.0.10 | |
| Fortinet FortiProxy | >=7.2.0<=7.2.4 | |
| FortiOS | >=6.0.0<=6.0.17 | |
| FortiOS | >=6.2.0<=6.2.15 | |
| FortiOS | >=6.4.0<=6.4.12 | |
| FortiOS | >=7.0.0<=7.0.11 | |
| FortiOS | >=7.2.0<=7.2.4 | |
| FortiOS | =7.4.0 | |
| FortiGuard FortiPAM | >=1.0.0<=1.0.3 | |
| FortiGuard FortiPAM | =1.1.0 |
Remedy
Please upgrade to FortiOS version 7.4.1 or above Please upgrade to FortiOS version 7.2.5 or above Please upgrade to FortiOS version 7.0.12 or above Please upgrade to FortiOS version 6.4.13 or above Please upgrade to FortiOS version 6.2.16 or above Please upgrade to FortiPAM version 1.2.0 or above Please upgrade to FortiPAM version 1.1.1 or above Please upgrade to FortiProxy version 7.4.0 or above Please upgrade to FortiProxy version 7.2.5 or above Please upgrade to FortiProxy version 7.0.11 or above Please upgrade to FortiSASE version 23.3 or above
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-36639?
CVE-2023-36639 has a high severity rating due to its potential to allow unauthorized command execution.
How do I fix CVE-2023-36639?
To mitigate CVE-2023-36639, upgrade to FortiOS version 7.4.1, FortiProxy version 7.2.5, or FortiPAM version 1.1.1.
Which software versions are affected by CVE-2023-36639?
CVE-2023-36639 affects FortiOS versions 6.0.0 to 7.0.11, FortiProxy versions 7.0.0 to 7.2.4, and FortiPAM versions 1.0.0 to 1.1.0.
Can unauthenticated users exploit CVE-2023-36639?
No, CVE-2023-36639 is only exploitable by authenticated users who can craft specific API requests.
What are the implications of exploiting CVE-2023-36639?
Exploitation of CVE-2023-36639 could lead to unauthorized code execution or command execution on affected systems.
- agent/type
- collector/fortiguard-psirt-latest
- source/FortiGuard
- alias/CVE-2023-36639
- agent/remedy
- agent/weakness
- agent/author
- agent/first-publish-date
- agent/event
- agent/severity
- agent/references
- agent/description
- agent/title
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/tags
- agent/softwarecombine
- collector/fortiguard-psirt
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-api
- vendor/fortinet
- canonical/fortios
- version/fortios/.
- version/fortios/7.2.0
- version/fortios/7.2.4
- version/fortios/7.0.0
- version/fortios/7.0.11
- version/fortios/6.4.0
- version/fortios/6.4.12
- version/fortios/6.2.0
- version/fortios/6.2.15
- version/fortios/6.0
- canonical/fortiguard fortipam
- version/fortiguard fortipam/.
- version/fortiguard fortipam/1.0
- canonical/fortinet fortiproxy
- version/fortinet fortiproxy/7.2.0
- version/fortinet fortiproxy/7.2.4
- version/fortinet fortiproxy/7.0.0
- version/fortinet fortiproxy/7.0.10
- version/fortios/6.0.0
- version/fortios/6.0.17
- version/fortios/7.4.0
- version/fortiguard fortipam/1.0.0
- version/fortiguard fortipam/1.0.3
- version/fortiguard fortipam/1.1.0