CVE-2022-41329: 
FortiOS vulnerability analysis and mitigation

An exposure of sensitive information vulnerability (CVE-2022-41329) was discovered in FortiOS and FortiProxy administrative interface, affecting multiple versions of these products. The vulnerability was internally discovered by Théo Leleu of Fortinet Product Security team and publicly disclosed on March 7, 2023. The affected systems include FortiProxy versions 7.2.0 through 7.2.2 and 7.0.0 through 7.0.8, as well as FortiOS versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.9, and 6.4.0 through 6.4.11 (Fortiguard Advisory).

The vulnerability is classified as an exposure of sensitive information to an unauthorized actor [CWE-200]. It allows unauthenticated attackers to obtain sensitive logging information on the device through crafted HTTP or HTTPS GET requests. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD Database).

The primary impact of this vulnerability is the potential exposure of sensitive logging information to unauthorized actors. The vulnerability allows attackers to access logging data that should be restricted, potentially exposing sensitive operational information about the affected devices (Fortiguard Advisory).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to the following versions: FortiProxy version 7.2.3 or above, FortiProxy version 7.0.9 or above, FortiOS version 7.2.4 or above, FortiOS version 7.0.10 or above, or FortiOS version 6.4.12 or above (Fortiguard Advisory).