PSIRT Advisories
FortiManager, FortiAnalyzer, FortiPortal & FortiSwitch - Information disclosure through diagnose debug commands
Summary
An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiManager, FortiAnalyzer, FortiPortal & FortiSwitch may allow an attacker which has obtained access to a restricted administrative account to obtain sensitive information via `diagnose debug` commands.
Affected Products
At least
FortiManager version 6.0.0 through 6.0.4
At least
FortiAnalyzer version 6.0.0 through 6.0.4
At least
FortiPortal 4.1 all versions
FortiPortal 4.2 all versions
FortiPortal 5.0 all versions
FortiPortal 5.1 all versions
FortiPortal 5.2 all versions
FortiPortal 5.3 all versions
FortiPortal version 6.0.0 through 6.0.9
At least
FortiSwitch version 6.0.0 through 6.0.7
FortiSwitch version 6.2.0 through 6.2.7
FortiSwitch version 6.4.0 through 6.4.10
FortiSwitch version 7.0.0 through 7.0.4
Solutions
Upgrade to FortiManager version 6.0.5 and above,
Upgrade to FortiManager version 6.2.0 and above.
Upgrade to FortiAnalyzer version 6.0.5 and above,
Upgrade to FortiAnalyzer version 6.2.0 and above.
Upgrade to FortiPortal version 6.0.10 and above.
Upgrade to FortiSwitch version 6.4.11 and above,
Upgrade to FortiSwitch version 7.0.5 and above.