CVE-2023-44254: IDOR on download logs feature
First published: Tue Sep 10 2024(Updated: )
An authorization bypass through user-controlled key [CWE-639] vulnerability in FortiAnalyzer & FortiManager may allow a remote attacker with low privileges to read sensitive data via a crafted HTTP request.
Credit: psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiAnalyzer | >=6.2.0<7.2.5 | |
| Fortinet FortiAnalyzer | =7.4.0 | |
| Fortinet FortiManager | >=6.2.0<7.2.5 | |
| Fortinet FortiManager | =7.4.0 | |
| Fortinet FortiAnalyzer BigData | >=7.2.0<=7.2.5 |
Remedy
Please upgrade to FortiAnalyzer version 7.4.1 or above Please upgrade to FortiAnalyzer version 7.2.5 or above Please upgrade to FortiManager version 7.4.1 or above Please upgrade to FortiManager version 7.2.5 or above Please upgrade to FortiAnalyzer-BigData version 7.4.0 or above Please upgrade to FortiAnalyzer-BigData version 7.2.6 or above
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-44254?
CVE-2023-44254 has a medium severity rating due to its potential for unauthorized access to sensitive data.
How do I fix CVE-2023-44254?
To fix CVE-2023-44254, update FortiAnalyzer and FortiManager to the latest versions that address this vulnerability.
What systems are affected by CVE-2023-44254?
CVE-2023-44254 affects FortiAnalyzer versions from 6.2.0 to 7.2.5 and version 7.4.0, as well as FortiManager versions from 6.2.0 to 7.2.5 and version 7.4.0.
What type of attack does CVE-2023-44254 involve?
CVE-2023-44254 involves an authorization bypass allowing remote attackers to read sensitive data through crafted HTTP requests.
Can low privilege users exploit CVE-2023-44254?
Yes, low privilege users can exploit CVE-2023-44254 to bypass authorization controls and access sensitive information.
- agent/first-publish-date
- collector/fortiguard-psirt
- source/FortiGuard
- alias/CVE-2023-44254
- agent/title
- agent/remedy
- agent/weakness
- agent/references
- agent/type
- agent/description
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/severity
- collector/fortiguard-psirt-latest
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/fortinet
- canonical/fortinet fortianalyzer
- version/fortinet fortianalyzer/6.2.0
- version/fortinet fortianalyzer/7.4.0
- canonical/fortinet fortimanager
- version/fortinet fortimanager/6.2.0
- version/fortinet fortimanager/7.4.0
- canonical/fortinet fortianalyzer bigdata
- version/fortinet fortianalyzer bigdata/7.2.0
- version/fortinet fortianalyzer bigdata/7.2.5