Loic Restoux

Name of the Vulnerable Software and Affected Versions: FortiManager versions 6.4 through 7.6.1 FortiManager version 7.0 Description: The issue is related to the use of a hard-coded cryptographic key in the FortiManager interface, which can allow a remote attacker to disclose confidential information. This vulnerability may enable an attacker with JSON API access permissions to decrypt some secrets, even if the 'private-data-encryption' setting is enabled. Recommendations: For FortiManager versions 6.4 through 7.6.1, update to a version that does not use a hard-coded cryptographic key. For FortiManager version 7.0, update to a version that does not use a hard-coded cryptographic key. As a temporary workaround, consider restricting access to the JSON API to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cisco Enterprise NFV Infrastructure Software (NFVIS) (affected versions not specified) **Description** The issue is related to insufficient access control in the image registration process of Cisco Enterprise NFV Infrastructure Software (NFVIS), which could allow a remote attacker to execute arbitrary commands by installing a virtual machine image with crafted metadata. Additionally, there are multiple vulnerabilities that could enable an attacker to escape from a guest virtual machine to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Juniper Networks Junos OS on NFX Series versions 18.1R1 through 18.2R3-S5 Juniper Networks Junos OS on NFX Series versions 18.3 through 18.3R3-S3 Juniper Networks Junos OS on NFX Series versions 18.4 through 18.4R3-S4 Juniper Networks Junos OS on NFX Series versions 19.1 through 19.1R2 Juniper Networks Junos OS on NFX Series versions 19.2 through 19.2R2 Description: The issue affects Juniper Networks Junos OS on NFX Series devices, allowing an attacker to elevate their privileges via the Junos Device Management Daemon (JDMD) process. This is a local code execution issue. The JDMD as used by Junos Node Slicing, such as External Servers and In-Chassis Junos Node Slicing on certain MX series devices, is not affected. Recommendations: For versions 18.1R1 through 18.2R3-S5, update to version 18.2R3-S5 or later. For versions 18.3 through 18.3R3-S3, update to version 18.3R3-S3 or later. For versions 18.4 through 18.4R3-S4, update to version 18.4R3-S4 or later. For versions 19.1 through 19.1R2, update to version 19.1R2 or later. For versions 19.2 through 19.2R2, update to version 19.2R2 or later.