virus logo PSIRT

Password storage in cleartext in DB for external servers

Summary

A cleartext storage of sensitive information vulnerability [CWE-312] in FortiTester may allow an attacker with access to the DB contents to retrieve the plaintext password of external servers configured in the device.

Version Affected Solution
FortiTester 7.3 Not affected Not Applicable
FortiTester 7.2 7.2 all versions Migrate to a fixed release
FortiTester 7.1 7.1 all versions Migrate to a fixed release
FortiTester 7.0 7.0 all versions Migrate to a fixed release
FortiTester 4.2 4.2 all versions Migrate to a fixed release
FortiTester 4.1 4.1 all versions Migrate to a fixed release
FortiTester 4.0 4.0 all versions Migrate to a fixed release
FortiTester 3.9 3.9 all versions Migrate to a fixed release
FortiTester 3.8 3.8 all versions Migrate to a fixed release
FortiTester 3.7 3.7 all versions Migrate to a fixed release
FortiTester 3.6 3.6 all versions Migrate to a fixed release
FortiTester 3.5 3.5 all versions Migrate to a fixed release
FortiTester 3.4 3.4 all versions Migrate to a fixed release
FortiTester 3.3 3.3 all versions Migrate to a fixed release
FortiTester 3.2 3.2 all versions Migrate to a fixed release
FortiTester 3.1 3.1 all versions Migrate to a fixed release
FortiTester 3.0 3.0 all versions Migrate to a fixed release
FortiTester 2.9 2.9 all versions Migrate to a fixed release
FortiTester 2.8 2.8 all versions Migrate to a fixed release
FortiTester 2.7 2.7 all versions Migrate to a fixed release
FortiTester 2.6 2.6 all versions Migrate to a fixed release
FortiTester 2.5 2.5 all versions Migrate to a fixed release
FortiTester 2.4 2.4 all versions Migrate to a fixed release
FortiTester 2.3 2.3 all versions Migrate to a fixed release

Acknowledgement

Internally discovered and reported by Wilfried Djettchou of Fortinet Product Security team.

Timeline

2023-09-01: Initial publication

IR Number FG-IR-22-465
Date Sep 13, 2023
Severity Medium
CVSSv3 Score 5.2
Impact Information disclosure
CVE ID CVE-2023-40715
CVRF Download