Security News > 2024 > February > Fortinet warns of new FortiSIEM RCE bugs in confusing disclosure

Fortinet warns of new FortiSIEM RCE bugs in confusing disclosure
2024-02-08 00:55

Fortinet is warning of two new unpatched patch bypasses for a critical remote code execution vulnerability in FortiSIEM, Fortinet's SIEM solution.

Fortinet added the two new vulnerabilities tracked as CVE-2024-23108 and CVE-2024-23109 to the original advisory for the CVE-2023-34992 flaw in a very confusing update.

"There is no new vulnerability published for FortiSIEM so far in 2024, this is a system level error and we are working to rectify and withdraw the erroneous entries."

On X, Zach stated that the new CVEs are patch bypasses for CVE-2023-34992, and the new IDs were assigned to him by Fortinet.

After contacting Fortinet once again, we were told their previous statement was "Misstated" and that the two new CVEs are variants of the original flaw.

JetBrains warns of new TeamCity auth bypass vulnerability.


News URL

https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-fortisiem-rce-bugs-in-confusing-disclosure/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2024-02-05 CVE-2024-23109 OS Command Injection vulnerability in Fortinet Fortisiem
An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests.
network
low complexity
fortinet CWE-78
critical
9.8
2024-02-05 CVE-2024-23108 Unspecified vulnerability in Fortinet Fortisiem
An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests.
network
low complexity
fortinet
critical
9.8
2023-10-10 CVE-2023-34992 OS Command Injection vulnerability in Fortinet Fortisiem
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.0.0 and 6.7.0 through 6.7.5 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.1 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via crafted API requests.
network
low complexity
fortinet CWE-78
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Fortinet 77 15 314 277 81 687