| IR Number | FG-IR-19-294 |
| Date | Jun 26, 2020 |
| Severity |
Medium |
| CVSSv3 Score | 8.6 |
| Impact | Escalation of privilege, OS Command Injection |
| CVE ID | CVE-2019-9193 |
| Affected Products |
FortiAuthenticator
:
6.1.3, 6.1.2, 6.1.1, 6.1.0
FortiAnalyzer
:
6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.6.9, 5.6.8, 5.6.7, 5.6.6, 5.6.5, 5.6.4, 5.6.3, 5.6.2, 5.6.11, 5.6.10, 5.6.1, 5.6.0
FortiManager
:
6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.6.9, 5.6.8, 5.6.7, 5.6.6, 5.6.5, 5.6.4, 5.6.3, 5.6.2, 5.6.11, 5.6.10, 5.6.1, 5.6.0
|
| CVRF | Download |
| Language |
Refine Search
PSIRT Advisories
CVE-2019-9193 PostgreSQL allows OS level commands via COPY SQL function
Summary
An OS command injection vulnerability in FortiAnalyzer, FortiAuthenticator and FortiManager may allow a privileged system administrator to run OS level commands on the system via injecting commands in SQL queries.
Affected Products
FortiAnalyzer version 5.6.0 through 5.6.11
FortiAnalyzer version 6.0.0 through 6.0.8
FortiAnalyzer version 6.2.0 through 6.2.3
FortiAuthenticator version 6.1.0 through 6.1.2
FortiManager version 5.6.0 through 5.6.11
FortiManager version 6.0.0 through 6.0.8
FortiManager version 6.2.0 through 6.2.3
Solutions
Upgrade to FortiAnalyzer version 6.4.0 or above.
Upgrade to FortiAnalyzer version 6.2.4 or above.
Upgrade to FortiAnalyzer version 6.0.9 or above.
Upgrade to FortiAuthenticator version 6.2.0 or above.
Upgrade to FortiManager version 6.4.0 or above.
Upgrade to FortiManager version 6.2.4 or above.
Upgrade to FortiManager version 6.0.9 or above.
Acknowledgement
Fortinet is pleased to thank "Renee Trisberg from SpectX ( https://www.spectx.com/ )" and "Chris Armstrong from CSCI, Inc" for reporting this vulnerability under responsible disclosure.
References
- PostgreSQL CVE-2019-9193