What is the severity of CVE-2023-42790?

CVE-2023-42790 has a critical severity rating due to its potential for remote code execution.

How do I fix CVE-2023-42790?

To fix CVE-2023-42790, upgrade FortiOS to version 7.4.2 or later, FortiProxy to version 7.4.1 or later, or apply the relevant patches for affected versions.

Which software versions are affected by CVE-2023-42790?

CVE-2023-42790 affects multiple versions of Fortinet FortiOS and FortiProxy, specifically across various versions listed in the CVE description.

What kind of attack can exploit CVE-2023-42790?

CVE-2023-42790 can be exploited by an attacker to execute unauthorized code on the affected FortiOS and FortiProxy devices.

What products does CVE-2023-42790 impact?

CVE-2023-42790 impacts Fortinet FortiOS and FortiProxy across multiple version ranges as outlined in the vulnerability details.

Vulnerability/
CVE-2023-42790

critical

9.3

CWE

119 79 89 20 94 121

12/3/2024

17/9/2024

CVE-2023-42790: Out-of-bounds Write in captive portal

First published: Tue Mar 12 2024(Updated: )

A stack-based buffer overflow in Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13 allows attacker to execute unauthorized code or commands via specially crafted HTTP requests.

Credit: psirt@fortinet.com

Affected Software	Affected Version	How to fix
Fortinet FortiOS IPS Engine	>=7.4.0<=7.4.1
Fortinet FortiOS IPS Engine	>=7.2.0<=7.2.5
Fortinet FortiOS IPS Engine	>=7.0.0<=7.0.12
Fortinet FortiOS IPS Engine	>=6.4.0<=6.4.14
Fortinet FortiOS IPS Engine	>=6.2.0<=6.2.15
Fortinet FortiProxy	=.
Fortinet FortiProxy	>=7.2.0<=7.2.6
Fortinet FortiProxy	>=7.0.0<=7.0.12
Fortinet FortiProxy	>=2.0.0<=2.0.13
Fortinet FortiSASE	=3
Fortinet FortiProxy	>=2.0.0<=2.0.13
Fortinet FortiProxy	>=7.0.0<=7.0.12
Fortinet FortiProxy	>=7.2.0<=7.2.6
Fortinet FortiProxy	=7.4.0
Fortinet FortiOS IPS Engine	>=6.2.0<=6.2.15
Fortinet FortiOS IPS Engine	>=6.4.0<=6.4.14
Fortinet FortiOS IPS Engine	>=7.0.0<=7.0.12
Fortinet FortiOS IPS Engine	>=7.2.0<=7.2.5
Fortinet FortiOS IPS Engine	>=7.4.0<=7.4.1

Remedy

Please upgrade to FortiOS version 7.4.2 or above Please upgrade to FortiOS version 7.2.6 or above Please upgrade to FortiOS version 7.0.13 or above Please upgrade to FortiOS version 6.4.15 or above Please upgrade to FortiOS version 6.2.16 or above Please upgrade to FortiProxy version 7.4.1 or above Please upgrade to FortiProxy version 7.2.7 or above Please upgrade to FortiProxy version 7.0.13 or above Please upgrade to FortiProxy version 2.0.14 or above Fortinet in Q3/23 has remediated this issue in FortiSASE version 23.3.b and hence the customers need not perform any action.

Never miss a vulnerability like this again

Reference Links

Peer vulnerabilities

(Found alongside the following vulnerabilities)

Frequently Asked Questions

What is the severity of CVE-2023-42790?
CVE-2023-42790 has a critical severity rating due to its potential for remote code execution.
How do I fix CVE-2023-42790?
To fix CVE-2023-42790, upgrade FortiOS to version 7.4.2 or later, FortiProxy to version 7.4.1 or later, or apply the relevant patches for affected versions.
Which software versions are affected by CVE-2023-42790?
CVE-2023-42790 affects multiple versions of Fortinet FortiOS and FortiProxy, specifically across various versions listed in the CVE description.
What kind of attack can exploit CVE-2023-42790?
CVE-2023-42790 can be exploited by an attacker to execute unauthorized code on the affected FortiOS and FortiProxy devices.
What products does CVE-2023-42790 impact?
CVE-2023-42790 impacts Fortinet FortiOS and FortiProxy across multiple version ranges as outlined in the vulnerability details.

agent/type
agent/first-publish-date
agent/author
collector/the-register
source/The Register
alias/CVE-2024-21407
alias/CVE-2024-21408
alias/CVE-2024-21334
alias/CVE-2024-21400
alias/CVE-2023-32666
alias/CVE-2023-32282
alias/CVE-2024-2193
alias/CVE-2023-20214
alias/CVE-2024-20337
alias/CVE-2024-0039
alias/CVE-2024-23717
alias/CVE-2023-42789
alias/CVE-2023-42790
alias/CVE-2023-48788
alias/CVE-2023-47534
alias/CVE-2023-36554
alias/CVE-2024-23112
alias/CVE-2023-46717
agent/news-ai
agent/severity
agent/references
agent/weakness
agent/title
collector/mitre-cve
source/MITRE
agent/remedy
agent/last-modified-date
agent/trending
agent/source
agent/tags
agent/event
agent/description
agent/softwarecombine
collector/fortiguard-psirt
source/FortiGuard
agent/software-canonical-lookup
agent/software-canonical-lookup-request
collector/nvd-api
source/NVD
vendor/fortinet
canonical/fortinet fortios ips engine
version/fortinet fortios ips engine/7.4.0
version/fortinet fortios ips engine/7.4.1
version/fortinet fortios ips engine/7.2.0
version/fortinet fortios ips engine/7.2.5
version/fortinet fortios ips engine/7.0.0
version/fortinet fortios ips engine/7.0.12
version/fortinet fortios ips engine/6.4.0
version/fortinet fortios ips engine/6.4.14
version/fortinet fortios ips engine/6.2.0
version/fortinet fortios ips engine/6.2.15
canonical/fortinet fortiproxy
version/fortinet fortiproxy/.
version/fortinet fortiproxy/7.2.0
version/fortinet fortiproxy/7.2.6
version/fortinet fortiproxy/7.0.0
version/fortinet fortiproxy/7.0.12
version/fortinet fortiproxy/2.0.0
version/fortinet fortiproxy/2.0.13
canonical/fortinet fortisase
version/fortinet fortisase/3
version/fortinet fortiproxy/7.4.0