FortiOS / FortiProxy - Path traversal vulnerability allows VDOM escaping

Summary

A relative path traversal vulnerability [CWE-23] in FortiOS and FortiProxy may allow privileged VDOM administrators to escalate their privileges to super admin of the box via crafted CLI requests.

Affected Products

FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.8
FortiOS version 6.4.0 through 6.4.11
FortiOS version 6.2.0 through 6.2.12

FortiProxy version 7.2.0 through 7.2.1
FortiProxy version 7.0.0 through 7.0.7
FortiProxy version 2.0.0 through 2.0.11
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions

Note: Impact on FortiProxy 7.0.x, 2.0.x, 1.2.x, 1.1.x is minor as it does not have VDOMs

Solutions

Please upgrade to FortiProxy version 7.2.2 or above
Please upgrade to FortiProxy version 7.0.8 or above
Please upgrade to FortiProxy version 2.0.12 or above
Please upgrade to FortiOS version 7.2.4 or above
Please upgrade to FortiOS version 7.0.9 or above
Please upgrade to FortiOS version 6.4.12 or above
Please upgrade to FortiOS version 6.2.13 or above

Acknowledgement

Internally discovered and reported by Théo Leleu of Fortinet Product Security team.