PSIRT Advisories

FortiADC - Path traversal vulnerability in CLI

Summary

A relative path traversal vulnerability [CWE-23] in FortiADC may allow a privileged attacker to delete arbitrary directories from the underlying file system via crafted CLI commands.

Affected Products

FortiADC version 7.2.0
FortiADC version 7.1.0 through 7.1.1
FortiADC 7.0 all versions
FortiADC 6.2 all versions
FortiADC 6.1 all versions
FortiADC 6.0 all versions
FortiADC 5.4 all versions
FortiADC 5.3 all versions
FortiADC 5.2 all versions

Solutions

Please upgrade to FortiADC version 7.2.1 or above
Please upgrade to FortiADC version 7.1.2 or above

Acknowledgement

Internally discovered and reported by Théo Leleu of Fortinet Product Security team.

Timeline

2023-04-25: Initial publication