CVE-2023-34990 - Vulnerability Details - OpenCVE

A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.29185.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Fortinet Subscribe	Fortiwlm Subscribe

Configuration 1 [-]

OR	cpe:2.3:a:fortinet:fortiwlm::::::::
	cpe:2.3:a:fortinet:fortiwlm::::::::

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

Please upgrade to FortiWLM version 8.6.6 or above Please upgrade to FortiWLM version 8.5.5 or above

Workaround

No workaround given by the vendor.

References

Link	Providers
https://fortiguard.com/psirt/FG-IR-23-144

History

Fri, 06 Jun 2025 01:00:00 +0900

Type	Values Removed	Values Added
First Time appeared		Fortinet Fortinet fortiwlm
CPEs		cpe:2.3:a:fortinet:fortiwlm::::::::
Vendors & Products		Fortinet Fortinet fortiwlm

Thu, 19 Dec 2024 00:15:00 +0900

Type	Values Removed	Values Added
Weaknesses		CWE-94
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 18 Dec 2024 22:00:00 +0900

Type	Values Removed	Values Added
Description		A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.
Weaknesses		CWE-23
References		https://fortiguard.com/psirt/FG-IR-23-144
Metrics		cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:X/RC:X'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2024-12-18T12:44:38.664Z

Updated: 2024-12-20T04:55:50.572Z

Reserved: 2023-06-09T06:59:37.970Z

Link: CVE-2023-34990

Vulnrichment

Updated: 2024-12-18T14:29:57.561Z

NVD

Status : Analyzed

Published: 2024-12-18T13:15:05.547

Modified: 2025-06-05T15:32:55.290

Link: CVE-2023-34990

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-34990", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2023-06-09T06:59:37.970Z", "datePublished": "2024-12-18T12:44:38.664Z", "dateUpdated": "2024-12-20T04:55:50.572Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiWLM", "cpes": [], "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "8.6.0", "lessThanOrEqual": "8.6.5", "status": "affected"}, {"versionType": "semver", "version": "8.5.0", "lessThanOrEqual": "8.5.4", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests."}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2024-12-18T12:44:38.664Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-23", "description": "Execute unauthorized code or commands", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:X/RC:X"}}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiWLM version 8.6.6 or above \nPlease upgrade to FortiWLM version 8.5.5 or above"}], "references": [{"name": "https://fortiguard.com/psirt/FG-IR-23-144", "url": "https://fortiguard.com/psirt/FG-IR-23-144"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-12-19T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2023-34990"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-20T04:55:50.572Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-34990", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-12-18T14:23:56.413943Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-18T14:29:57.561Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:X/RC:X", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": [], "vendor": "Fortinet", "product": "FortiWLM", "versions": [{"status": "affected", "version": "8.6.0", "versionType": "semver", "lessThanOrEqual": "8.6.5"}, {"status": "affected", "version": "8.5.0", "versionType": "semver", "lessThanOrEqual": "8.5.4"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiWLM version 8.6.6 or above \nPlease upgrade to FortiWLM version 8.5.5 or above"}], "references": [{"url": "https://fortiguard.com/psirt/FG-IR-23-144", "name": "https://fortiguard.com/psirt/FG-IR-23-144"}], "descriptions": [{"lang": "en", "value": "A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-23", "description": "Execute unauthorized code or commands"}]}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2024-12-18T12:44:38.664Z"}}}, "cveMetadata": {"cveId": "CVE-2023-34990", "state": "PUBLISHED", "dateUpdated": "2024-12-20T04:55:50.572Z", "dateReserved": "2023-06-09T06:59:37.970Z", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "datePublished": "2024-12-18T12:44:38.664Z", "assignerShortName": "fortinet"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortiwlm:*:*:*:*:*:*:*:*", "matchCriteriaId": "03C48FF6-3BAA-49AF-AF2D-3BC1D395BFDE", "versionEndExcluding": "8.5.5", "versionStartIncluding": "8.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortiwlm:*:*:*:*:*:*:*:*", "matchCriteriaId": "4D875C08-1321-4343-92B3-36B12EA44A61", "versionEndExcluding": "8.6.6", "versionStartIncluding": "8.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests."}, {"lang": "es", "value": "Path traversal relativo en Fortinet FortiWLM versi\u00f3n 8.6.0 a 8.6.5 y 8.5.0 a 8.5.4 permite a un atacante ejecutar c\u00f3digo o comandos no autorizados a trav\u00e9s de solicitudes web especialmente manipuladas."}], "id": "CVE-2023-34990", "lastModified": "2025-06-05T15:32:55.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "psirt@fortinet.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-12-18T13:15:05.547", "references": [{"source": "psirt@fortinet.com", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-23-144"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-23"}], "source": "psirt@fortinet.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}