| IR Number | FG-IR-22-447 |
| Date | Mar 7, 2023 |
| Severity |
Medium |
| CVSSv3 Score | 4.6 |
| Impact | Information disclosure |
| CVE ID | CVE-2023-23776 |
| Affected Products |
FortiAnalyzer
:
7.2.1, 7.2.0, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.4.9, 6.4.8, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.10, 6.4.1, 6.4.0
|
| CVRF | Download |
Refine Search
PSIRT Advisories
FortiAnalyzer -- the log-fetch client request password is shown in clear text in the heartbeat response
Summary
An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in FortiAnalyzer may allow a remote authenticated attacker to read the client machine password in plain text in a heartbeat response when a log-fetch request is made from the FortiAnalyzer
Affected Products
FortiAnalyzer version 7.2.0 through 7.2.1FortiAnalyzer version 7.0.0 through 7.0.4
FortiAnalyzer version 6.4.0 through 6.4.10
Solutions
Please upgrade to FortiAnalyzer version 7.2.2 or abovePlease upgrade to FortiAnalyzer version 7.0.5 or above
Please upgrade to FortiAnalyzer version 6.4.11 or above