CVE-2023-36639

Name of the Vulnerable Software and Affected Versions FortiProxy versions 7.2.0 through 7.2.4 FortiProxy versions 7.0.0 through 7.0.10 FortiOS versions 7.4.0 FortiOS versions 7.2.0 through 7.2.4 FortiOS versions 7.0.0 through 7.0.11 FortiOS versions 6.4.0 through 6.4.12 FortiOS versions 6.2.0 through 6.2.15 FortiOS versions 6.0.0 through 6.0.17 FortiPAM versions 1.0.0 through 1.0.3

Description The issue is related to a use of externally-controlled format string in the HTTPSd daemon of FortiOS, FortiProxy, and FortiPAM, which may allow an attacker to execute unauthorized code or commands via specially crafted API requests. This can be exploited by sending specially crafted requests to execute arbitrary code or commands.

Recommendations For FortiProxy versions 7.2.0 through 7.2.4, update to a version outside of this range to mitigate the risk. For FortiProxy versions 7.0.0 through 7.0.10, update to a version outside of this range to mitigate the risk. For FortiOS versions 7.4.0, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, update to a version outside of these ranges to mitigate the risk. For FortiPAM versions 1.0.0 through 1.0.3, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the HTTPSd daemon to minimize the risk of exploitation.