CVE-2023-44254 — Authorization Bypass Through User-Controlled Key in Fortinet Fortianalyzer

CWE-639 — Authorization Bypass Through User-Controlled Key4 documents4 sources

Severity

6.5MEDIUMNVD

CNA5.0

EPSS

0.3%

top 51.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortianalyzer Fortinet Fortimanager Fortinet Fortianalyzer BIG Data

Timeline

PublishedSep 10

Description

An authorization bypass through user-controlled key [CWE-639] vulnerability in FortiAnalyzer version 7.4.1 and before 7.2.5 and FortiManager version 7.4.1 and before 7.2.5 may allow a remote attacker with low privileges to read sensitive data via a crafted HTTP request.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶NVDfortinet/fortianalyzer_big_data7.2.0 — 7.2.5

▶NVDfortinet/fortimanager6.2.0 — 7.2.5+1

▶NVDfortinet/fortianalyzer6.2.0 — 7.2.5+1

▶CVEListV5fortinet/fortimanager7.2.0 — 7.2.4+4

▶CVEListV5fortinet/fortianalyzer7.2.0 — 7.2.4+4

🔴Vulnerability Details

GHSA

GHSA-pmv9-7f92-57xh: An authorization bypass through user-controlled key [CWE-639] vulnerability in FortiAnalyzer version 7↗2024-09-10

▶

CVEList

CVE-2023-44254: An authorization bypass through user-controlled key [CWE-639] vulnerability in FortiAnalyzer version 7↗2024-09-10

▶

📋Vendor Advisories

Fortinet

IDOR on download logs feature↗2024-09-10

▶