Buffer Overflow in Fortinet FortiAnalyzer, FortiManager, and FortiOS
CVE-2021-43072

6.3HIGH

Key Information:

Vendor: Fortinet
Status: Fortianalyzer; Fortimanager
Vendor: CVE Published:; 18 July 2023

Summary

A buffer copy without size checks vulnerability exists in Fortinet's FortiAnalyzer, FortiManager, FortiOS, and FortiProxy products. This flaw allows attackers to execute unauthorized commands or code through specially crafted CLI operations such as execute restore image and execute certificate remote, leveraging the tFTP protocol. Affected versions span various releases, creating significant risks for systems that remain unpatched.

Affected Version(s)

FortiAnalyzer 7.0.0 <= 7.0.2

FortiAnalyzer 6.4.0 <= 6.4.7

FortiAnalyzer 6.2.0 <= 6.2.12

References

https://fortiguard.com/advisory/FG-IR-21-206

CVSS V3.1

Score:

6.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 18, 2023
Vulnerability Reserved
Oct 28, 2021