CVE-2023-44255: 
Fortinet FortiManager vulnerability analysis and mitigation

An exposure of sensitive information vulnerability (CVE-2023-44255) was discovered in Fortinet FortiManager before 7.4.2, FortiAnalyzer before 7.4.2, and FortiAnalyzer-BigData before 7.2.5. The vulnerability was disclosed on November 12, 2024, and affects multiple versions of these Fortinet products. This security issue allows privileged attackers with administrative read permissions to access event logs of another administrative domain (adom) through crafted HTTP or HTTPS requests (Fortinet Advisory).

The vulnerability is classified as an Exposure of Private Personal Information to an Unauthorized Actor (CWE-359). It received a CVSS v3.1 base score of 4.1 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N. The attack vector is network-based, requires high privileges, but no user interaction, and can potentially affect confidentiality across security boundaries (NVD).

The vulnerability's primary impact is the potential disclosure of sensitive information, specifically allowing authorized administrators to access event logs beyond their intended administrative domain. This represents a confidentiality breach within the system's security boundaries (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users of FortiAnalyzer 7.4.x should upgrade to version 7.4.3 or above, FortiAnalyzer 7.2.x users should upgrade to version 7.2.6 or above, and FortiManager 7.4.x users should upgrade to version 7.4.3 or above. Users of older versions (6.2, 6.4, 7.0) are advised to migrate to a fixed release (Fortinet Advisory).

The vulnerability was responsibly disclosed by Mickael Dorigny of Orange Cyberdefense and Frédric Prevost, François-Xavier Picard and Orange CERT-CC of Orange group (Fortinet Advisory).