CVE-2023-42791: 
Fortinet FortiManager vulnerability analysis and mitigation

A relative path traversal vulnerability (CVE-2023-42791) was discovered in Fortinet FortiManager and FortiAnalyzer products. The vulnerability was initially disclosed on October 10, 2023, and affects multiple versions of FortiManager (6.2.0-6.2.11, 6.4.0-6.4.12, 7.0.0-7.0.8, 7.2.0-7.2.3, 7.4.0) and FortiAnalyzer-BigData (7.2.0-7.2.5). This high-severity vulnerability received a CVSS v3.1 base score of 8.6 (Fortiguard PSIRT).

The vulnerability is classified as a relative path traversal (CWE-23) that allows a remote attacker with low privileges to execute unauthorized code through crafted HTTP requests. The vulnerability has been assigned a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact on confidentiality, integrity, and availability (NVD).

The successful exploitation of this vulnerability could allow an attacker to execute unauthorized code or commands on affected systems. Given the high CVSS score and the critical nature of FortiManager and FortiAnalyzer in network management, this vulnerability poses significant risks to affected organizations (Fortiguard PSIRT).

Fortinet has released security patches for all affected versions. Organizations should upgrade to the following versions: FortiManager 6.2.12 or above, 6.4.13 or above, 7.0.9 or above, 7.2.4 or above, 7.4.1 or above, and FortiAnalyzer-BigData 7.2.6 or above. FortiManager 7.6 and FortiAnalyzer-BigData 7.4 are not affected by this vulnerability (Fortiguard PSIRT).

The vulnerability was discovered and reported by security researchers Paul BARBE, Antoine CARRINCAZEAUX and Clément AMIC from Synacktiv under responsible disclosure practices (Fortiguard PSIRT).