cvelistv5 - CVE-2023-34990

CVE-2023-34990 (GCVE-0-2023-34990)

Vulnerability from cvelistv5

Published

2024-12-18 12:44

Modified

2024-12-20 04:55

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F

CWE

CWE-23 - Execute unauthorized code or commands

Summary

A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.

References

URL

Tags

psirt@fortinet.com

https://fortiguard.com/psirt/FG-IR-23-144

Vendor Advisory

Impacted products

	Vendor	Product	Version
	Fortinet	FortiWLM	Version: 8.6.0 ≤ 8.6.5 Version: 8.5.0 ≤ 8.5.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-34990",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-19T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-94",
                "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-20T04:55:50.572Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [],
          "defaultStatus": "unaffected",
          "product": "FortiWLM",
          "vendor": "Fortinet",
          "versions": [
            {
              "lessThanOrEqual": "8.6.5",
              "status": "affected",
              "version": "8.6.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.4",
              "status": "affected",
              "version": "8.5.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:X/RC:X",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "Execute unauthorized code or commands",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-18T12:44:38.664Z",
        "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
        "shortName": "fortinet"
      },
      "references": [
        {
          "name": "https://fortiguard.com/psirt/FG-IR-23-144",
          "url": "https://fortiguard.com/psirt/FG-IR-23-144"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Please upgrade to FortiWLM version 8.6.6 or above \nPlease upgrade to FortiWLM version 8.5.5 or above"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
    "assignerShortName": "fortinet",
    "cveId": "CVE-2023-34990",
    "datePublished": "2024-12-18T12:44:38.664Z",
    "dateReserved": "2023-06-09T06:59:37.970Z",
    "dateUpdated": "2024-12-20T04:55:50.572Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-34990\",\"sourceIdentifier\":\"psirt@fortinet.com\",\"published\":\"2024-12-18T13:15:05.547\",\"lastModified\":\"2025-06-05T15:32:55.290\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.\"},{\"lang\":\"es\",\"value\":\"Path traversal relativo en Fortinet FortiWLM versi\u00f3n 8.6.0 a 8.6.5 y 8.5.0 a 8.5.4 permite a un atacante ejecutar c\u00f3digo o comandos no autorizados a trav\u00e9s de solicitudes web especialmente manipuladas.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@fortinet.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"psirt@fortinet.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-23\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fortinet:fortiwlm:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.5.0\",\"versionEndExcluding\":\"8.5.5\",\"matchCriteriaId\":\"03C48FF6-3BAA-49AF-AF2D-3BC1D395BFDE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fortinet:fortiwlm:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.6.0\",\"versionEndExcluding\":\"8.6.6\",\"matchCriteriaId\":\"4D875C08-1321-4343-92B3-36B12EA44A61\"}]}]}],\"references\":[{\"url\":\"https://fortiguard.com/psirt/FG-IR-23-144\",\"source\":\"psirt@fortinet.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-34990\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-18T14:23:56.413943Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-18T14:29:57.561Z\"}}], \"cna\": {\"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:X/RC:X\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"cpes\": [], \"vendor\": \"Fortinet\", \"product\": \"FortiWLM\", \"versions\": [{\"status\": \"affected\", \"version\": \"8.6.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"8.6.5\"}, {\"status\": \"affected\", \"version\": \"8.5.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"8.5.4\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Please upgrade to FortiWLM version 8.6.6 or above \\nPlease upgrade to FortiWLM version 8.5.5 or above\"}], \"references\": [{\"url\": \"https://fortiguard.com/psirt/FG-IR-23-144\", \"name\": \"https://fortiguard.com/psirt/FG-IR-23-144\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-23\", \"description\": \"Execute unauthorized code or commands\"}]}], \"providerMetadata\": {\"orgId\": \"6abe59d8-c742-4dff-8ce8-9b0ca1073da8\", \"shortName\": \"fortinet\", \"dateUpdated\": \"2024-12-18T12:44:38.664Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-34990\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-20T04:55:50.572Z\", \"dateReserved\": \"2023-06-09T06:59:37.970Z\", \"assignerOrgId\": \"6abe59d8-c742-4dff-8ce8-9b0ca1073da8\", \"datePublished\": \"2024-12-18T12:44:38.664Z\", \"assignerShortName\": \"fortinet\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2023-34990

Vulnerability from fkie_nvd

Published

2024-12-18 13:15

Modified

2025-06-05 15:32

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.

References

	URL	Tags
	psirt@fortinet.com	https://fortiguard.com/psirt/FG-IR-23-144	Vendor Advisory

Impacted products

	Vendor	Product	Version
	fortinet	fortiwlm	*
	fortinet	fortiwlm	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:fortinet:fortiwlm:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "03C48FF6-3BAA-49AF-AF2D-3BC1D395BFDE",
              "versionEndExcluding": "8.5.5",
              "versionStartIncluding": "8.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:fortinet:fortiwlm:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4D875C08-1321-4343-92B3-36B12EA44A61",
              "versionEndExcluding": "8.6.6",
              "versionStartIncluding": "8.6.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests."
    },
    {
      "lang": "es",
      "value": "Path traversal relativo en Fortinet FortiWLM versi\u00f3n 8.6.0 a 8.6.5 y 8.5.0 a 8.5.4 permite a un atacante ejecutar c\u00f3digo o comandos no autorizados a trav\u00e9s de solicitudes web especialmente manipuladas."
    }
  ],
  "id": "CVE-2023-34990",
  "lastModified": "2025-06-05T15:32:55.290",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "psirt@fortinet.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-12-18T13:15:05.547",
  "references": [
    {
      "source": "psirt@fortinet.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://fortiguard.com/psirt/FG-IR-23-144"
    }
  ],
  "sourceIdentifier": "psirt@fortinet.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-23"
        }
      ],
      "source": "psirt@fortinet.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

ghsa-2pp3-2hr3-936m

Vulnerability from github

Published

2024-12-18 15:33

Modified

2024-12-18 15:33

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-34990"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-18T13:15:05Z",
    "severity": "CRITICAL"
  },
  "details": "A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.",
  "id": "GHSA-2pp3-2hr3-936m",
  "modified": "2024-12-18T15:33:00Z",
  "published": "2024-12-18T15:33:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34990"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-23-144"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

De multiples vulnérabilités ont été découvertes dans les produits Fortinet. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

L'éditeur indique que les correctifs concernant la vulnérabilité CVE-2024-50570 pour FortiClientLinux 7.0.14, 7.2.8 et 7.4.3 ne sont pas encore disponibles.

Impacted products

Vendor	Product	Description
Fortinet	FortiWLM	FortiWLM versions 8.6.x antérieures à 8.6.6
Fortinet	FortiClient	FortiClientWindows 7.4.x versions antérieures à 7.4.2
Fortinet	FortiManager	FortiManager versions 7.4.x antérieures à 7.4.5
Fortinet	FortiManager	FortiManager Cloud versions postérieures à 7.0.1 et antérieures à 7.0.13
Fortinet	FortiManager	FortiManager Cloud versions postérieures à 7.2.1 et antérieures à 7.2.8
Fortinet	FortiClient	FortiClientLinux 7.4.x versions antérieures à 7.4.3
Fortinet	FortiClient	FortiClientWindows 7.0.x versions antérieures à 7.0.14
Fortinet	FortiManager	FortiManager versions postérieures à 6.4.10 et antérieures à 6.4.15
Fortinet	FortiClient	FortiClientLinux 7.2.x versions antérieures à 7.2.8
Fortinet	FortiManager	FortiManager versions 7.6.x antérieures à 7.6.1
Fortinet	FortiWLM	FortiWLM versions 8.5.x antérieures à 8.5.5
Fortinet	FortiManager	FortiManager Cloud versions postérieures à 7.4.1 et antérieures à 7.4.5
Fortinet	FortiClient	FortiClientLinux 7.0.x versions antérieures à 7.0.14
Fortinet	FortiManager	FortiManager versions postérieures à 7.0.5 et antérieures à 7.0.13
Fortinet	FortiClient	FortiClientWindows 7.2.x versions antérieures à 7.2.7
Fortinet	FortiManager	FortiManager versions postérieures à 7.2.3 et antérieures à 7.2.8

References

Title

Publication Time

cnvd-2024-49638

Vulnerability from cnvd

Title

Fortinet FortiWLM路径遍历漏洞（CNVD-2024-4963848）

Description

Fortinet FortiWLM是美国飞塔（Fortinet）公司的一个无线管理器。 Fortinet FortiWLM存在路径遍历漏洞，该漏洞源于程序未能正确地过滤资源或文件路径中的特殊元素。攻击者可利用该漏洞通过精心构造的web请求执行未经授权的代码或命令。

Severity

高

Patch Name

Fortinet FortiWLM路径遍历漏洞（CNVD-2024-4963848）的补丁

Patch Description

Fortinet FortiWLM是美国飞塔（Fortinet）公司的一个无线管理器。 Fortinet FortiWLM存在路径遍历漏洞，该漏洞源于程序未能正确地过滤资源或文件路径中的特殊元素。攻击者可利用该漏洞通过精心构造的web请求执行未经授权的代码或命令。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://docs.fortinet.com/document/fortiwlm/8.6.6/release-notes/682570/about-fortiwlm-8-6-6

Reference

https://fortiguard.com/psirt/FG-IR-23-144

Impacted products

Name
['Fortinet FortiWLM >=8.6.0，<=8.6.5', 'Fortinet FortiWLM >=8.5.0，<=8.5.4']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-34990",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-34990"
    }
  },
  "description": "Fortinet FortiWLM\u662f\u7f8e\u56fd\u98de\u5854\uff08Fortinet\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u65e0\u7ebf\u7ba1\u7406\u5668\u3002\n\nFortinet FortiWLM\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u5730\u8fc7\u6ee4\u8d44\u6e90\u6216\u6587\u4ef6\u8def\u5f84\u4e2d\u7684\u7279\u6b8a\u5143\u7d20\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u7cbe\u5fc3\u6784\u9020\u7684web\u8bf7\u6c42\u6267\u884c\u672a\u7ecf\u6388\u6743\u7684\u4ee3\u7801\u6216\u547d\u4ee4\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://docs.fortinet.com/document/fortiwlm/8.6.6/release-notes/682570/about-fortiwlm-8-6-6",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-49638",
  "openTime": "2024-12-26",
  "patchDescription": "Fortinet FortiWLM\u662f\u7f8e\u56fd\u98de\u5854\uff08Fortinet\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u65e0\u7ebf\u7ba1\u7406\u5668\u3002\r\n\r\nFortinet FortiWLM\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u5730\u8fc7\u6ee4\u8d44\u6e90\u6216\u6587\u4ef6\u8def\u5f84\u4e2d\u7684\u7279\u6b8a\u5143\u7d20\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u7cbe\u5fc3\u6784\u9020\u7684web\u8bf7\u6c42\u6267\u884c\u672a\u7ecf\u6388\u6743\u7684\u4ee3\u7801\u6216\u547d\u4ee4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Fortinet FortiWLM\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff08CNVD-2024-4963848\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Fortinet FortiWLM \u003e=8.6.0\uff0c\u003c=8.6.5",
      "Fortinet FortiWLM \u003e=8.5.0\uff0c\u003c=8.5.4"
    ]
  },
  "referenceLink": "https://fortiguard.com/psirt/FG-IR-23-144",
  "serverity": "\u9ad8",
  "submitTime": "2024-12-25",
  "title": "Fortinet FortiWLM\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff08CNVD-2024-4963848\uff09"
}

ncsc-2024-0494

Vulnerability from csaf_ncscnl

Published

2024-12-19 14:53

Modified

2024-12-19 14:53

Summary

Kwetsbaarheid verholpen in Fortinet FortiWLM

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten

Fortinet heeft een kwetsbaarheid verholpen in FortiWLM (Specifiek voor versies 8.6.0 tot 8.6.5 en 8.5.0 tot 8.5.4).

Interpretaties

De kwetsbaarheid bevindt zich in de relatieve pad-traversal functionaliteit van FortiWLM, waardoor externe, niet-geauthenticeerde aanvallers ongeautoriseerde code kunnen uitvoeren via speciaal samengestelde webverzoeken. Dit kan leiden tot ongeautoriseerde toegang tot gevoelige bestanden binnen de getroffen systemen. FortiWLM is een module voor FortiManager om specifiek wireless networks te managen die ontsloten worden via FortiGate. Voor succesvol misbruik moet de kwaadwillende toegang hebben tot de infrastructuur die middels FortiManager wordt beheerd.

Oplossingen

Fortinet heeft updates uitgebracht om de kwetsbaarheid te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans

medium

Schade

high

CWE-23

Relative Path Traversal

CWE-94

Improper Control of Generation of Code ('Code Injection')

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Fortinet heeft een kwetsbaarheid verholpen in FortiWLM (Specifiek voor versies 8.6.0 tot 8.6.5 en 8.5.0 tot 8.5.4).",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheid bevindt zich in de relatieve pad-traversal functionaliteit van FortiWLM, waardoor externe, niet-geauthenticeerde aanvallers ongeautoriseerde code kunnen uitvoeren via speciaal samengestelde webverzoeken. Dit kan leiden tot ongeautoriseerde toegang tot gevoelige bestanden binnen de getroffen systemen.\nFortiWLM is een module voor FortiManager om specifiek wireless networks te managen die ontsloten worden via FortiGate.\n\nVoor succesvol misbruik moet de kwaadwillende toegang hebben tot de infrastructuur die middels FortiManager wordt beheerd.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Fortinet heeft updates uitgebracht om de kwetsbaarheid te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Relative Path Traversal",
        "title": "CWE-23"
      },
      {
        "category": "general",
        "text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
        "title": "CWE-94"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference - cveprojectv5; nvd",
        "url": "https://fortiguard.com/psirt/FG-IR-23-144"
      }
    ],
    "title": "Kwetsbaarheid verholpen in Fortinet FortiWLM",
    "tracking": {
      "current_release_date": "2024-12-19T14:53:01.724784Z",
      "id": "NCSC-2024-0494",
      "initial_release_date": "2024-12-19T14:53:01.724784Z",
      "revision_history": [
        {
          "date": "2024-12-19T14:53:01.724784Z",
          "number": "0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "fortiwlm",
            "product": {
              "name": "fortiwlm",
              "product_id": "CSAFPID-594700",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:fortinet:fortiwlm:*:*:*:*:*:*:*:*"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "fortinet"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-34990",
      "cwe": {
        "id": "CWE-23",
        "name": "Relative Path Traversal"
      },
      "notes": [
        {
          "category": "other",
          "text": "Relative Path Traversal",
          "title": "CWE-23"
        },
        {
          "category": "other",
          "text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
          "title": "CWE-94"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-594700"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2023-34990",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-34990.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:X/RC:X",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-594700"
          ]
        }
      ],
      "title": "CVE-2023-34990"
    }
  ]
}

NCSC-2024-0494

Vulnerability from csaf_ncscnl

Published

2024-12-19 14:53

Modified

2024-12-19 14:53

Summary

Kwetsbaarheid verholpen in Fortinet FortiWLM

Notes

Feiten

Fortinet heeft een kwetsbaarheid verholpen in FortiWLM (Specifiek voor versies 8.6.0 tot 8.6.5 en 8.5.0 tot 8.5.4).

Interpretaties

Oplossingen

Fortinet heeft updates uitgebracht om de kwetsbaarheid te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans

medium

Schade

high

CWE-23

Relative Path Traversal

CWE-94

Improper Control of Generation of Code ('Code Injection')

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Fortinet heeft een kwetsbaarheid verholpen in FortiWLM (Specifiek voor versies 8.6.0 tot 8.6.5 en 8.5.0 tot 8.5.4).",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheid bevindt zich in de relatieve pad-traversal functionaliteit van FortiWLM, waardoor externe, niet-geauthenticeerde aanvallers ongeautoriseerde code kunnen uitvoeren via speciaal samengestelde webverzoeken. Dit kan leiden tot ongeautoriseerde toegang tot gevoelige bestanden binnen de getroffen systemen.\nFortiWLM is een module voor FortiManager om specifiek wireless networks te managen die ontsloten worden via FortiGate.\n\nVoor succesvol misbruik moet de kwaadwillende toegang hebben tot de infrastructuur die middels FortiManager wordt beheerd.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Fortinet heeft updates uitgebracht om de kwetsbaarheid te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Relative Path Traversal",
        "title": "CWE-23"
      },
      {
        "category": "general",
        "text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
        "title": "CWE-94"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference - cveprojectv5; nvd",
        "url": "https://fortiguard.com/psirt/FG-IR-23-144"
      }
    ],
    "title": "Kwetsbaarheid verholpen in Fortinet FortiWLM",
    "tracking": {
      "current_release_date": "2024-12-19T14:53:01.724784Z",
      "id": "NCSC-2024-0494",
      "initial_release_date": "2024-12-19T14:53:01.724784Z",
      "revision_history": [
        {
          "date": "2024-12-19T14:53:01.724784Z",
          "number": "0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "fortiwlm",
            "product": {
              "name": "fortiwlm",
              "product_id": "CSAFPID-594700",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:fortinet:fortiwlm:*:*:*:*:*:*:*:*"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "fortinet"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-34990",
      "cwe": {
        "id": "CWE-23",
        "name": "Relative Path Traversal"
      },
      "notes": [
        {
          "category": "other",
          "text": "Relative Path Traversal",
          "title": "CWE-23"
        },
        {
          "category": "other",
          "text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
          "title": "CWE-94"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-594700"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2023-34990",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-34990.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:X/RC:X",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-594700"
          ]
        }
      ],
      "title": "CVE-2023-34990"
    }
  ]
}

gsd-2023-34990

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Aliases

CVE-2023-34990

Aliases

CVE-2023-34990

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-34990",
    "id": "GSD-2023-34990"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-34990"
      ],
      "id": "GSD-2023-34990",
      "modified": "2023-12-13T01:20:30.589556Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2023-34990",
        "STATE": "RESERVED"
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
          }
        ]
      }
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-34990 (GCVE-0-2023-34990)

Vulnerability from cvelistv5

fkie_cve-2023-34990

Vulnerability from fkie_nvd

ghsa-2pp3-2hr3-936m

Vulnerability from github

CERTFR-2024-AVI-1096

Vulnerability from certfr_avis

Solutions

cnvd-2024-49638

Vulnerability from cnvd

ncsc-2024-0494

Vulnerability from csaf_ncscnl

NCSC-2024-0494

Vulnerability from csaf_ncscnl

gsd-2023-34990

Vulnerability from gsd

Tags

Sightings

Nomenclature