Fortinet Products Cache Poisoning Vulnerability via Crafted HTTP Requests

A vulnerability allowing web cache poisoning has been identified in multiple Fortinet products, including FortiManager, FortiMail, FortiAnalyzer, FortiVoice, FortiProxy, FortiRecorder, FortiAuthenticator, FortiNDR, FortiWLC, FortiPortal, FortiOS, FortiADC, FortiDDoS, FortiDDoS-F, FortiTester, FortiSOAR, and FortiSwitch. The vulnerability exists in FortiManager versions prior to 7.4.3, FortiMail versions prior to 7.0.3, FortiAnalyzer versions prior to 7.4.3, FortiVoice versions 7.0.0, 7.0.1, and prior to 6.4.8, FortiProxy versions prior to 7.0.4, FortiRecorder versions 6.4.0 through 6.4.2 and prior to 6.0.10, FortiAuthenticator versions 6.4.0 through 6.4.1 and prior to 6.3.3, FortiNDR versions 7.2.0 prior to 7.1.0, FortiWLC versions prior to 8.6.4, FortiPortal versions prior to 6.0.9, FortiOS versions 7.2.0 and prior to 7.0.5, FortiADC versions 7.0.0 through 7.0.1 and prior to 6.2.3, FortiDDoS versions prior to 5.5.1, FortiDDoS-F versions prior to 6.3.3, FortiTester versions prior to 7.2.1, FortiSOAR versions prior to 7.2.2, and FortiSwitch versions prior to 6.3.3. This vulnerability allows an attacker to poison web caches by sending crafted HTTP requests that direct to an arbitrary web server, exploiting the `Host` header.

Impact

Exploitation of this vulnerability allows for web cache poisoning, where an attacker can manipulate the cache of a web application or server, potentially leading to the delivery of malicious content to users or causing other disruptive effects on the web application’s caching behavior.