CVE-2023-44249: 
Fortinet FortiManager vulnerability analysis and mitigation

An authorization bypass through user-controlled key vulnerability (CVE-2023-44249) was discovered in Fortinet FortiManager version 7.4.0 and before 7.2.3, and FortiAnalyzer version 7.4.0 and before 7.2.3. The vulnerability was disclosed on October 10, 2023, affecting multiple versions of FortiManager and FortiAnalyzer products (NVD, Fortinet PSIRT).

The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key). The issue occurs in asynchronous tasks that use taskid in the FortiManager, where taskids are weak numerical and incremental values that can be stored for several months without expiring. The CVSS v3.1 base score is 6.5 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with low attack complexity (Orange CERT).

The vulnerability allows a remote attacker with low privileges to read sensitive information via crafted HTTP requests. The exposed information includes names of equipment belonging to other ADOMs, names of other ADOMs which may contain customer information, and usernames that are normally not accessible to the user (Orange CERT).

Fortinet has released security patches to address this vulnerability. Users are advised to upgrade to the following versions: FortiAnalyzer-BigData 7.4.1 or above, FortiAnalyzer-BigData 7.2.6 or above, FortiManager 7.4.1 or above, FortiManager 7.2.4 or above, or FortiManager 7.0.10 or above. Users on FortiManager 6.4 and 6.2 all versions should migrate to a fixed release (Fortinet PSIRT).