PT-2022-11806 · Fortinet · Fortios+1
Published
2022-05-03
·
Updated
2022-05-13
·
CVE-2021-43206
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Fortinet FortiOS versions 6.0.x through 7.0.3
Fortinet FortiOS versions 6.2.x through 6.4.8
FortiProxy versions 2.0.x through 7.0.1
Description
A server-generated error message containing sensitive information allows malicious webservers to retrieve a web proxy's client username and IP via same origin HTTP requests triggering proxy-generated HTTP status codes pages.
Recommendations
For Fortinet FortiOS versions 6.0.x through 7.0.3, update to a version that does not contain the vulnerability.
For Fortinet FortiOS versions 6.2.x through 6.4.8, update to a version that does not contain the vulnerability.
For FortiProxy versions 2.0.x through 7.0.1, update to a version that does not contain the vulnerability.
As a temporary workaround, consider restricting access to the web proxy to minimize the risk of exploitation.
Fix
Generation of Error Message Containing Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fortios
Fortiproxy