Description

According to Fortinet's report, the FortiNAC web server is vulnerable to unauthenticated arbitrary file upload due to a directory traversal vulnerability that occurs when unpacking a user-provided zip file at the endpoint /configWizard/keyUpload.jsp. The following versions are affected:

  • FortiNAC version 9.4.0
  • FortiNAC version 9.2.0 through 9.2.5
  • FortiNAC version 9.1.0 through 9.1.7
  • FortiNAC versions 8.3 through 8.8

Remediation

Please upgrade to FortiNAC version 9.4.1 or above.
Please upgrade to FortiNAC version 9.2.6 or above.
Please upgrade to FortiNAC version 9.1.8 or above.
Please upgrade to FortiNAC version 7.2.0 or above.

References

FortiNAC - External Control of File Name or Path in keyUpload scriptlet

Perspectives: FortiNAC and CVE-2022-39952

Related Vulnerabilities

Drupal Core 8.8.x Remote Code Execution (8.8.0 - 8.8.11)

Remote code execution of user-provided local names in Rails

Invision Power Board version 3.3.4 unserialize PHP code execution

Magento remote code execution

Horde Imp Unauthenticated Remote Command Execution

Severity

High

Classification

CVE-2022-39952 CWE-610 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Unauthenticated File Upload Arbitrary File Creation Directory Traversal