cnvd - cnvd-2024-13752

cnvd-2024-13752

Vulnerability from cnvd

Title

Fortinet FortiProxy,FortiOS,FortiPAM格式化字符串错误漏洞

Description

Fortinet FortiProxy是美国飞塔（Fortinet）公司的一种安全的网络代理，通过结合多种检测技术，如Web过滤、DNS过滤、DLP、反病毒、入侵防御和高级威胁保护，可以保护员工免受网络攻击。FortiProxy有助于减少带宽需求，并通过内容和视频缓存优化网络。 Fortinet FortiProxy,FortiOS,FortiPAM存在格式化字符串错误漏洞，该漏洞源于存在外部控制格式字符串的使用。攻击者可利用该漏洞通过特制的API请求执行未经授权的代码或命令。

Severity

高

Patch Name

Fortinet FortiProxy,FortiOS,FortiPAM格式化字符串错误漏洞的补丁

Patch Description

Formal description

厂商已提供漏洞修复方案，请关注厂商主页更新： https://fortiguard.com/psirt/FG-IR-23-138

Reference

https://nvd.nist.gov/vuln/detail/CVE-2023-36639

Impacted products

Name
['Fortinet FortiProxy >=7.0.0，<=7.0.10', 'Fortinet FortiOS >=7.2.0，<=7.2.4', 'Fortinet FortiOS 7.4.0', 'Fortinet FortiProxy >=7.2.0，<=7.2.4', 'Fortinet FortiPAM 1.1.0', 'Fortinet FortiPAM >=1.0.0，<=1.0.3', 'Fortinet FortiOS >=7.0.0，<=7.0.11', 'Fortinet FortiOS >=6.4.0，<=6.4.12', 'Fortinet FortiOS >=6.2.0，<=6.2.15', 'Fortinet FortiOS >=6.0.0，<=6.0.17']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-36639",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-36639"
    }
  },
  "description": "Fortinet FortiProxy\u662f\u7f8e\u56fd\u98de\u5854\uff08Fortinet\uff09\u516c\u53f8\u7684\u4e00\u79cd\u5b89\u5168\u7684\u7f51\u7edc\u4ee3\u7406\uff0c\u901a\u8fc7\u7ed3\u5408\u591a\u79cd\u68c0\u6d4b\u6280\u672f\uff0c\u5982Web\u8fc7\u6ee4\u3001DNS\u8fc7\u6ee4\u3001DLP\u3001\u53cd\u75c5\u6bd2\u3001\u5165\u4fb5\u9632\u5fa1\u548c\u9ad8\u7ea7\u5a01\u80c1\u4fdd\u62a4\uff0c\u53ef\u4ee5\u4fdd\u62a4\u5458\u5de5\u514d\u53d7\u7f51\u7edc\u653b\u51fb\u3002FortiProxy\u6709\u52a9\u4e8e\u51cf\u5c11\u5e26\u5bbd\u9700\u6c42\uff0c\u5e76\u901a\u8fc7\u5185\u5bb9\u548c\u89c6\u9891\u7f13\u5b58\u4f18\u5316\u7f51\u7edc\u3002\n\nFortinet FortiProxy,FortiOS,FortiPAM\u5b58\u5728\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5b58\u5728\u5916\u90e8\u63a7\u5236\u683c\u5f0f\u5b57\u7b26\u4e32\u7684\u4f7f\u7528\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u7279\u5236\u7684API\u8bf7\u6c42\u6267\u884c\u672a\u7ecf\u6388\u6743\u7684\u4ee3\u7801\u6216\u547d\u4ee4\u3002",
  "formalWay": "\u5382\u5546\u5df2\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://fortiguard.com/psirt/FG-IR-23-138",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-13752",
  "openTime": "2024-03-18",
  "patchDescription": "Fortinet FortiProxy\u662f\u7f8e\u56fd\u98de\u5854\uff08Fortinet\uff09\u516c\u53f8\u7684\u4e00\u79cd\u5b89\u5168\u7684\u7f51\u7edc\u4ee3\u7406\uff0c\u901a\u8fc7\u7ed3\u5408\u591a\u79cd\u68c0\u6d4b\u6280\u672f\uff0c\u5982Web\u8fc7\u6ee4\u3001DNS\u8fc7\u6ee4\u3001DLP\u3001\u53cd\u75c5\u6bd2\u3001\u5165\u4fb5\u9632\u5fa1\u548c\u9ad8\u7ea7\u5a01\u80c1\u4fdd\u62a4\uff0c\u53ef\u4ee5\u4fdd\u62a4\u5458\u5de5\u514d\u53d7\u7f51\u7edc\u653b\u51fb\u3002FortiProxy\u6709\u52a9\u4e8e\u51cf\u5c11\u5e26\u5bbd\u9700\u6c42\uff0c\u5e76\u901a\u8fc7\u5185\u5bb9\u548c\u89c6\u9891\u7f13\u5b58\u4f18\u5316\u7f51\u7edc\u3002\r\n\r\nFortinet FortiProxy,FortiOS,FortiPAM\u5b58\u5728\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5b58\u5728\u5916\u90e8\u63a7\u5236\u683c\u5f0f\u5b57\u7b26\u4e32\u7684\u4f7f\u7528\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u7279\u5236\u7684API\u8bf7\u6c42\u6267\u884c\u672a\u7ecf\u6388\u6743\u7684\u4ee3\u7801\u6216\u547d\u4ee4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Fortinet FortiProxy,FortiOS,FortiPAM\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Fortinet FortiProxy \u003e=7.0.0\uff0c\u003c=7.0.10",
      "Fortinet FortiOS \u003e=7.2.0\uff0c\u003c=7.2.4",
      "Fortinet FortiOS 7.4.0",
      "Fortinet FortiProxy \u003e=7.2.0\uff0c\u003c=7.2.4",
      "Fortinet FortiPAM 1.1.0",
      "Fortinet FortiPAM \u003e=1.0.0\uff0c\u003c=1.0.3",
      "Fortinet FortiOS \u003e=7.0.0\uff0c\u003c=7.0.11",
      "Fortinet FortiOS \u003e=6.4.0\uff0c\u003c=6.4.12",
      "Fortinet FortiOS \u003e=6.2.0\uff0c\u003c=6.2.15",
      "Fortinet FortiOS \u003e=6.0.0\uff0c\u003c=6.0.17"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2023-36639",
  "serverity": "\u9ad8",
  "submitTime": "2023-12-21",
  "title": "Fortinet FortiProxy,FortiOS,FortiPAM\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2023-36639 (GCVE-0-2023-36639)

Vulnerability from cvelistv5

Published

2023-12-13 06:42

Modified

2024-08-02 16:52

Severity ?

7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C

CWE

CWE-134 - Execute unauthorized code or commands

Summary

A use of externally-controlled format string in Fortinet FortiProxy versions 7.2.0 through 7.2.4, 7.0.0 through 7.0.10, FortiOS versions 7.4.0, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiPAM versions 1.0.0 through 1.0.3 allows attacker to execute unauthorized code or commands via specially crafted API requests.

References

URL

Tags

https://fortiguard.com/psirt/FG-IR-23-138

Impacted products

Vendor

Product

Version

Fortinet

FortiOS

Version: 7.4.0
Version: 7.2.0   ≤ 7.2.4
Version: 7.0.0   ≤ 7.0.11
Version: 6.4.0   ≤ 6.4.12
Version: 6.2.0   ≤ 6.2.15
Version: 6.0.0   ≤ 6.0.17

	Fortinet	FortiPAM	Version: 1.1.0 Version: 1.0.0 ≤ 1.0.3
	Fortinet	FortiProxy	Version: 7.2.0 ≤ 7.2.4 Version: 7.0.0 ≤ 7.0.10

Show details on NVD website