FortiPAM - Lack of rate control to protect against DoS attacks

Summary

An allocation of resources without limits or throttling vulnerability [CWE-770] in FortiPAM may allow an authenticated attacker to perform a denial of service attack via sending crafted HTTP or HTTPS requests at a high frequency.

Version Affected Solution
FortiPAM 1.1 Not affected Upgrade to 1.1.0 or above
FortiPAM 1.0 1.0 all versions Migrate to a fixed release

Acknowledgement

Internally discovered and reported by Josh Wang from FortiPAM developpement team.

Timeline

2024-01-02: Initial publication