Description

According to Fortinet's report, the FortiNAC web server is vulnerable to unauthenticated arbitrary file upload due to a directory traversal vulnerability that occurs when unpacking a user-provided zip file at the endpoint /configWizard/keyUpload.jsp. The following versions are affected:

  • FortiNAC version 9.4.0
  • FortiNAC version 9.2.0 through 9.2.5
  • FortiNAC version 9.1.0 through 9.1.7
  • FortiNAC versions 8.3 through 8.8

Remediation

Please upgrade to FortiNAC version 9.4.1 or above.
Please upgrade to FortiNAC version 9.2.6 or above.
Please upgrade to FortiNAC version 9.1.8 or above.
Please upgrade to FortiNAC version 7.2.0 or above.

References

FortiNAC - External Control of File Name or Path in keyUpload scriptlet

Perspectives: FortiNAC and CVE-2022-39952

Related Vulnerabilities

WordPress Plugin MailPress Remote Code Execution (7.0.2)

vBulletin 5 CONNECT remote code execution

ImageMagick remote code execution

WordPress Plugin Advanced Access Manager Arbitrary Code Execution (2.8.2)

WordPress Plugin Ad Inserter-Ad Manager & AdSense Ads Remote Code Execution (2.4.21)

Severity

High

Classification

CVE-2022-39952 CWE-610 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Unauthenticated File Upload Arbitrary File Creation Directory Traversal