PSIRT Advisory

CVE-2019-9193 PostgreSQL allows OS level commands via COPY SQL function

Summary

An OS command injection vulnerability in FortiManager and FortiAnalyzer may allow a privileged system administrator to run OS level commands on the system via injecting commands in SQL queries.

Impact

Escalation of privilege, OS Command Injection

Affected Products

FortiAnalyzer 6.2.0 to 6.2.3, 6.0.8 and below

FortiManager 6.2.0 to 6.2.3, 6.0.8 and below

Solutions

FortiAnalyzer upgrade to 6.0.9 or 6.2.4 or above

FortiManager upgrade to 6.0.9 or 6.2.4 or above

Acknowledgement

Fortinet is pleased to thank "Renee Trisberg from SpectX ( https://www.spectx.com/ )" and "Chris Armstrong from CSCI, Inc" for reporting this vulnerability under responsible disclosure.

References