CVE-2023-44256: SSRF
First published: Fri Oct 20 2023(Updated: )
A server-side request forgery vulnerability [CWE-918] in Fortinet FortiAnalyzer version 7.4.0, version 7.2.0 through 7.2.3 and before 7.0.8 and FortiManager version 7.4.0, version 7.2.0 through 7.2.3 and before 7.0.8 allows a remote attacker with low privileges to view sensitive data from internal servers or perform a local port scan via a crafted HTTP request.
Credit: psirt@fortinet.com psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiAnalyzer | >=6.4.8<=6.4.13 | |
| Fortinet FortiAnalyzer | >=7.0.2<=7.0.8 | |
| Fortinet FortiAnalyzer | >=7.2.0<=7.2.3 | |
| Fortinet FortiAnalyzer | =7.4.0 | |
| Fortinet FortiManager | >=7.0.0<=7.0.8 | |
| Fortinet FortiManager | >=7.2.0<=7.2.3 | |
| Fortinet FortiManager | =7.4.0 |
Remedy
Please upgrade to FortiAnalyzer version 7.4.1 or above Please upgrade to FortiAnalyzer version 7.2.4 or above Please upgrade to FortiAnalyzer version 7.0.9 or above Please upgrade to FortiManager version 7.4.1 or above Please upgrade to FortiManager version 7.2.4 or above Please upgrade to FortiManager version 7.0.9 or above
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-44256?
The severity of CVE-2023-44256 is medium with a CVSS score of 6.5.
Which versions of Fortinet FortiAnalyzer are affected by CVE-2023-44256?
Fortinet FortiAnalyzer versions 7.4.0, 7.2.0 through 7.2.3, 7.0.2 through 7.0.8, and 6.4.8 through 6.4.13 are affected by CVE-2023-44256.
Which versions of Fortinet FortiManager are affected by CVE-2023-44256?
Fortinet FortiManager versions 7.4.0, 7.2.0 through 7.2.3, and 7.0.0 through 7.0.8 are affected by CVE-2023-44256.
What is the vulnerability type of CVE-2023-44256?
CVE-2023-44256 is a server-side request forgery vulnerability (CWE-918).
What is the impact of CVE-2023-44256?
CVE-2023-44256 allows a remote attacker with low privileges to view sensitive data from internal systems.
- collector/nvd-index
- collector/nvd-api
- agent/references
- agent/weakness
- agent/author
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/remedy
- agent/last-modified-date
- agent/description
- agent/tags
- agent/first-publish-date
- agent/event
- vendor/fortinet
- canonical/fortinet fortianalyzer
- version/fortinet fortianalyzer/6.4.8
- version/fortinet fortianalyzer/6.4.13
- version/fortinet fortianalyzer/7.0.2
- version/fortinet fortianalyzer/7.0.8
- version/fortinet fortianalyzer/7.2.0
- version/fortinet fortianalyzer/7.2.3
- version/fortinet fortianalyzer/7.4.0
- canonical/fortinet fortimanager
- version/fortinet fortimanager/7.0.0
- version/fortinet fortimanager/7.0.8
- version/fortinet fortimanager/7.2.0
- version/fortinet fortimanager/7.2.3
- version/fortinet fortimanager/7.4.0