What is the severity of CVE-2023-36640?

CVE-2023-36640 is classified as a medium-severity vulnerability due to the potential for remote code execution via format string manipulation.

How do I fix CVE-2023-36640?

To mitigate CVE-2023-36640, upgrade Fortinet FortiProxy versions to at least 7.2.6 or FortiOS to at least 7.2.6.

Which Fortinet products are affected by CVE-2023-36640?

CVE-2023-36640 affects multiple versions of Fortinet FortiProxy, FortiOS, and FortiPAM.

What are the impacted versions for FortiProxy related to CVE-2023-36640?

FortiProxy versions 7.2.0 through 7.2.4 and 7.0.0 through 7.0.10 are impacted by CVE-2023-36640.

Is there a patch available for CVE-2023-36640?

Yes, patches for CVE-2023-36640 are available in the form of version upgrades for affected Fortinet products.

Vulnerability/
CVE-2023-36640

medium

6.7

CWE

134

14/5/2024

2/8/2024

23/10/2024

CVE-2023-36640: Format String Bug in cli command

First published: Tue May 14 2024(Updated: )

A use of externally-controlled format string in Fortinet FortiProxy versions 7.2.0 through 7.2.4, 7.0.0 through 7.0.10, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7, FortiPAM versions 1.0.0 through 1.0.3, FortiOS versions 7.2.0, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.16 allows attacker to execute unauthorized code or commands via specially crafted commands

Credit: psirt@fortinet.com

Affected Software	Affected Version	How to fix
Fortinet FortiProxy	>=1.0.0<=1.0.7
Fortinet FortiProxy	>=1.1.0<=1.1.6
Fortinet FortiProxy	>=1.2.0<=1.2.13
Fortinet FortiProxy	>=2.0.0<=2.0.14
Fortinet FortiProxy	>=7.0.0<=7.0.10
Fortinet FortiProxy	>=7.2.0<=7.2.4
FortiGuard FortiPAM	<=1.0.3
Fortinet FortiOS IPS Engine	>=6.0.0<=6.0.16
Fortinet FortiOS IPS Engine	>=6.2.0<=6.2.16
Fortinet FortiOS IPS Engine	>=6.4.0<=6.4.14
Fortinet FortiOS IPS Engine	>=7.0.0<=7.0.12
Fortinet FortiOS IPS Engine	=7.2.0
Fortinet FortiOS IPS Engine	=.
Fortinet FortiOS IPS Engine	>=7.2.0<=7.2.5
Fortinet FortiOS IPS Engine	>=7.0
Fortinet FortiOS IPS Engine	>=6.4
Fortinet FortiOS IPS Engine	>=6.2
Fortinet FortiOS IPS Engine	>=6.0.0<=6.0.16
FortiGuard FortiPAM	=.
FortiGuard FortiPAM	>=1.0
Fortinet FortiProxy	>=7.2.0<=7.2.5
Fortinet FortiProxy	>=7.0.0<=7.0.11
Fortinet FortiProxy	>=2.0
Fortinet FortiProxy	>=1.2
Fortinet FortiProxy	>=1.1
Fortinet FortiProxy	>=1.0
Fortinet FortiSwitchManager	>=7.2.0<=7.2.2
Fortinet FortiSwitchManager	>=7.0.0<=7.0.2

Remedy

Please upgrade to FortiOS version 7.4.1 or above Please upgrade to FortiOS version 7.2.6 or above Please upgrade to FortiSwitchManager version 7.2.3 or above Please upgrade to FortiSwitchManager version 7.0.3 or above Please upgrade to FortiProxy version 7.2.6 or above Please upgrade to FortiProxy version 7.0.12 or above Please upgrade to FortiPAM version 1.1.1 or above Please upgrade to FortiSASE version 22.4 or above

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2023-36640?
CVE-2023-36640 is classified as a medium-severity vulnerability due to the potential for remote code execution via format string manipulation.
How do I fix CVE-2023-36640?
To mitigate CVE-2023-36640, upgrade Fortinet FortiProxy versions to at least 7.2.6 or FortiOS to at least 7.2.6.
Which Fortinet products are affected by CVE-2023-36640?
CVE-2023-36640 affects multiple versions of Fortinet FortiProxy, FortiOS, and FortiPAM.
What are the impacted versions for FortiProxy related to CVE-2023-36640?
FortiProxy versions 7.2.0 through 7.2.4 and 7.0.0 through 7.0.10 are impacted by CVE-2023-36640.
Is there a patch available for CVE-2023-36640?
Yes, patches for CVE-2023-36640 are available in the form of version upgrades for affected Fortinet products.

agent/first-publish-date
agent/title
agent/references
agent/remedy
agent/weakness
agent/type
agent/description
agent/author
agent/severity
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/last-modified-date
collector/fortiguard-psirt-latest
source/FortiGuard
alias/CVE-2023-36640
agent/event
agent/trending
agent/source
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/software-canonical-lookup-request
collector/fortiguard-psirt
alias/CVE-2023-45583
vendor/fortinet
canonical/fortinet fortiproxy
version/fortinet fortiproxy/1.0.0
version/fortinet fortiproxy/1.0.7
version/fortinet fortiproxy/1.1.0
version/fortinet fortiproxy/1.1.6
version/fortinet fortiproxy/1.2.0
version/fortinet fortiproxy/1.2.13
version/fortinet fortiproxy/2.0.0
version/fortinet fortiproxy/2.0.14
version/fortinet fortiproxy/7.0.0
version/fortinet fortiproxy/7.0.10
version/fortinet fortiproxy/7.2.0
version/fortinet fortiproxy/7.2.4
canonical/fortiguard fortipam
version/fortiguard fortipam/1.0.3
canonical/fortinet fortios ips engine
version/fortinet fortios ips engine/6.0.0
version/fortinet fortios ips engine/6.0.16
version/fortinet fortios ips engine/6.2.0
version/fortinet fortios ips engine/6.2.16
version/fortinet fortios ips engine/6.4.0
version/fortinet fortios ips engine/6.4.14
version/fortinet fortios ips engine/7.0.0
version/fortinet fortios ips engine/7.0.12
version/fortinet fortios ips engine/7.2.0
version/fortinet fortios ips engine/.
version/fortinet fortios ips engine/7.2.5
version/fortinet fortios ips engine/7.0
version/fortinet fortios ips engine/6.4
version/fortinet fortios ips engine/6.2
version/fortiguard fortipam/.
version/fortiguard fortipam/1.0
version/fortinet fortiproxy/7.2.5
version/fortinet fortiproxy/7.0.11
version/fortinet fortiproxy/2.0
version/fortinet fortiproxy/1.2
version/fortinet fortiproxy/1.1
version/fortinet fortiproxy/1.0
canonical/fortinet fortiswitchmanager
version/fortinet fortiswitchmanager/7.2.0
version/fortinet fortiswitchmanager/7.2.2
version/fortinet fortiswitchmanager/7.0.0
version/fortinet fortiswitchmanager/7.0.2