FortiSOAR - PostgreSQL DB access to local users

Summary

A missing authentication for critical function [CWE-306] vulnerabilty in FortiSOAR's Postgres database may allow a local attacker to access sensitive information via logging into the database using a privileged account without a password.

Affected Products

FortiSOAR 7.2 all versions
FortiSOAR 7.0 all versions
FortiSOAR 6.4 all versions

Solutions

Please upgrade to upcoming FortiSOAR version 7.3.0 or above

Acknowledgement

Fortinet is pleased to thank Alok Agarwal from Fortinet's Dev team.