CVE-2023-42782 — Insufficient Verification of Data Authenticity in Fortinet Fortianalyzer

CWE-345 — Insufficient Verification of Data Authenticity4 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 44.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortianalyzer

Timeline

PublishedOct 10

Description

A insufficient verification of data authenticity vulnerability [CWE-345] in FortiAnalyzer version 7.4.0 and below 7.2.3 allows a remote unauthenticated attacker to send messages to the syslog server of FortiAnalyzer via the knoweldge of an authorized device serial number.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5fortinet/fortianalyzer7.2.0 — 7.2.3+4

▶NVDfortinet/fortianalyzer6.2.0 — 6.2.12+4

🔴Vulnerability Details

CVEList

CVE-2023-42782: A insufficient verification of data authenticity vulnerability [CWE-345] in FortiAnalyzer version 7↗2023-10-10

▶

GHSA

GHSA-g4h5-9rrr-q667: A insufficient verification of data authenticity vulnerability [CWE-345] in FortiAnalyzer version 7↗2023-10-10

▶

📋Vendor Advisories

Fortinet

Syslog not protected by an extra layer of authentication↗2023-10-10

▶