FortiWeb - Path traversal in API controller
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-21-156
Final
1
1
2021-12-07T00:00:00
Current version
2021-12-07T00:00:00
2021-12-07T00:00:00
Multiple relative path traversal vulnerabilities [CWE-23] in the API of FortiWeb may allow an authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests.
None
Improper access control
FortiWeb versions 6.4.1 and below. FortiWeb versions 6.3.15 and below. FortiWeb versions 6.2.6 and below. FortiWeb versions 6.1.2 and below. FortiWeb versions 6.3.15 and below.
Upgrade to FortiWeb 7.0.0 or above. Upgrade to FortiWeb 6.4.2 or above. Upgrade to FortiWeb 6.3.16 or above.
Internally discovered and reported by Giuseppe Cocomazzi of the Fortinet Product Security team.
FortiWeb 6.4.1
FortiWeb 6.4.0
FortiWeb 6.3.15
FortiWeb 6.3.14
FortiWeb 6.3.13
FortiWeb 6.3.12
FortiWeb 6.3.11
FortiWeb 6.3.10
FortiWeb 6.3.9
FortiWeb 6.3.8
FortiWeb 6.3.7
FortiWeb 6.3.6
FortiWeb 6.3.5
FortiWeb 6.3.4
FortiWeb 6.3.3
FortiWeb 6.3.2
FortiWeb 6.3.1
FortiWeb 6.3.0
FortiWeb - Path traversal in API controller
CVE-2021-41026
FortiWeb-6.4.1
FortiWeb-6.4.0
FortiWeb-6.3.15
FortiWeb-6.3.14
FortiWeb-6.3.13
FortiWeb-6.3.12
FortiWeb-6.3.11
FortiWeb-6.3.10
FortiWeb-6.3.9
FortiWeb-6.3.8
FortiWeb-6.3.7
FortiWeb-6.3.6
FortiWeb-6.3.5
FortiWeb-6.3.4
FortiWeb-6.3.3
FortiWeb-6.3.2
FortiWeb-6.3.1
FortiWeb-6.3.0
7.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P/RL:U/RC:C
https://fortiguard.fortinet.com/psirt/FG-IR-21-156
FortiWeb - Path traversal in API controller
Reference>