Web server ETag exposure
Summary
An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiOS may allow an unauthenticated attacker to fingerprint the device version via HTTP requests.
Version | Affected | Solution |
---|---|---|
FortiOS 7.4 | 7.4.0 through 7.4.1 | Upgrade to 7.4.2 or above |
FortiOS 7.2 | 7.2.0 through 7.2.5 | Upgrade to 7.2.6 or above |
FortiOS 7.0 | 7.0 all versions | Migrate to a fixed release |
FortiOS 6.4 | 6.4 all versions | Migrate to a fixed release |
Acknowledgement
Fortinet is pleased to thank security researcher Andreas Korpås at Institute for Energy Technology SOC for discovering and reporting this vulnerability under responsible disclosure.Timeline
2024-04-09: Initial publication