CVE-2023-47536

Name of the Vulnerable Software and Affected Versions FortiOS versions 7.2.0, 7.0.13 and below, 6.4.14 and below FortiProxy versions 7.2.3 and below, 7.0.9 and below, 2.0.12 and below

Description The issue is related to improper access control, which may allow a remote unauthenticated attacker to bypass the firewall deny geolocalisation policy. This can be achieved by timing the bypass with a GeoIP database update. The vulnerability is associated with deficiencies in access control, allowing an attacker to circumvent security restrictions.

Recommendations For FortiOS versions 7.2.0, 7.0.13 and below, 6.4.14 and below, update to a version that includes the fix for this issue. For FortiProxy versions 7.2.3 and below, 7.0.9 and below, 2.0.12 and below, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the GeoIP database update functionality until a patch is available. Avoid using the GeoIP database update feature in the affected FortiOS and FortiProxy versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.