FortiAnalyzer & FortiManager - Improper input validation in custom dataset
An improper input validation vulnerability [CWE-20] in FortiAnalyzer & FortiManager may allow an authenticated attacker to disclose file system information via custom dataset SQL queries.
If enabled, disabled the FortiAnalyzer features option in FortiManager via:
config system global
set faz-status disable
FortiManager 100C is not impacted due to the absence of FortiAnalyzer features option.
FortiAnalyzer version 7.2.1 and below,
FortiAnalyzer version 7.0.6 and below,
FortiAnalyzer 6.4 all versions.
FortiManager version 7.2.0 through 7.2.2.
FortiManager version 7.0.0 through 7.0.7.
FortiManager version 6.4.0 through 6.4.11.
FortiManager version 6.2.0 through 6.2.10.
FortiManager version 6.0.1 through 6.0.11.
SolutionsPlease upgrade to FortiAnalyzer version 7.2.2 or above
Please upgrade to FortiAnalyzer version 7.0.7 or above
Please upgrade to FortiAnalyzer version 6.4.12 or above
Please upgrade to FortiManager version 7.2.2 or above
Please upgrade to FortiManager version 7.0.7 or above
Please upgrade to FortiManager version 6.4.12 or above
AcknowledgementFortinet is pleased to thank Darmin Blazevic (Fujitsu Services GmbH) for bringing this issue to our attention under responsible disclosure.
2023-03-23: Initial publication