CVE-2022-42474

Name of the Vulnerable Software and Affected Versions FortiOS versions 6.4.12 and earlier, 7.0.0 through 7.0.9 FortiOS versions 7.2.0 through 7.2.3 FortiProxy versions 7.0.0 through 7.0.7 FortiProxy versions 7.2.0 through 7.2.1 FortiSwitchManager versions 7.0.0 through 7.0.1 and earlier FortiSwitchManager versions 7.2.0 through 7.2.1

Description The issue is related to errors in handling relative paths in the administrative interface of FortiOS, FortiProxy, and FortiSwitchManager. This can be exploited by a remote attacker to delete arbitrary directories from the filesystem using crafted HTTP requests.

Recommendations For FortiOS versions 6.4.12 and earlier, 7.0.0 through 7.0.9, and 7.2.0 through 7.2.3, update to a version that contains a fix for this issue. For FortiProxy versions 7.0.0 through 7.0.7 and 7.2.0 through 7.2.1, update to a version that contains a fix for this issue. For FortiSwitchManager versions 7.0.0 through 7.0.1 and earlier, and 7.2.0 through 7.2.1, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the administrative interface to minimize the risk of exploitation.