PSIRT Advisories

FortiAnalyzer & FortiManager - Improper input validation in custom dataset

Summary

An improper input validation vulnerability [CWE-20] in FortiAnalyzer & FortiManager may allow an authenticated attacker to disclose file system information via custom dataset SQL queries.

Workaround:

If enabled, disabled the FortiAnalyzer features option in FortiManager via:

```
config system global
set faz-status disable
end
```
FortiManager 100C is not impacted due to the absence of FortiAnalyzer features option.

Affected Products

FortiAnalyzer version 7.2.1 and below,
FortiAnalyzer version 7.0.6 and below,
FortiAnalyzer 6.4 all versions.

FortiManager version 7.2.0 through 7.2.2.
FortiManager version 7.0.0 through 7.0.7.
FortiManager version 6.4.0 through 6.4.11.
FortiManager version 6.2.0 through 6.2.10.
FortiManager version 6.0.1 through 6.0.11.

Solutions

Please upgrade to FortiAnalyzer version 7.2.2 or above
Please upgrade to FortiAnalyzer version 7.0.7 or above
Please upgrade to FortiAnalyzer version 6.4.12 or above
Please upgrade to FortiManager version 7.2.2 or above
Please upgrade to FortiManager version 7.0.7 or above
Please upgrade to FortiManager version 6.4.12 or above

Acknowledgement

Fortinet is pleased to thank Darmin Blazevic (Fujitsu Services GmbH) for bringing this issue to our attention under responsible disclosure.

Timeline

2023-03-23: Initial publication