CVE-2018-13379

high-risk
Published 2019-06-04

An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.

Do I need to act?

!
94.5% chance of exploitation in next 30 days
EPSS score — higher than 6% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
!
2 public exploits available
47288, 47287
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.1/10 Critical
NETWORK / LOW complexity

Affected Products (3)

Affected Vendors

Fortinet

References (5)

Mitigation https://fortiguard.com/advisory/FG-IR-18-384
Vendor Advisory https://www.fortiguard.com/psirt/FG-IR-20-233
Mitigation https://fortiguard.com/advisory/FG-IR-18-384
Vendor Advisory https://www.fortiguard.com/psirt/FG-IR-20-233
US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-...
Get this data via API
curl -H "Authorization: Bearer YOUR_KEY" \
  https://cyber.phasetransitions.ai/api/v1/cves/CVE-2018-13379
Free tier: 100 requests/day, no credit card.
67
/ 100
high-risk
Severity 31/34 · Critical
Exploitability 27/34 · High
Exposure 9/34 · Low