CVE-2023-37934 - Vulnerability Details - OpenCVE

Description

An allocation of resources without limits or throttling vulnerability [CWE-770] in FortiPAM 1.0 all versions allows an authenticated attacker to perform a denial of service attack via sending crafted HTTP or HTTPS requests in a high frequency.

Published: 2024-01-10

Score: 4.2 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Fortinet

FortiPAM

unaffected

Version	Status	Constraints
`1.0.0`	affected	≤ 1.0.3

Configuration 1 [-]

cpe:2.3:o:fortinet:fortipam:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Please upgrade to FortiPAM version 1.1.0 or above

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2023-41787	An allocation of resources without limits or throttling vulnerability [CWE-770] in FortiPAM 1.0 all versions allows an authenticated attacker to perform a denial of service attack via sending crafted HTTP or HTTPS requests in a high frequency.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00143.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://fortiguard.com/psirt/FG-IR-23-226

History

Tue, 17 Jun 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Fortinet Fortipam

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2024-01-10T17:51:36.939Z

Updated: 2025-06-17T20:59:11.662Z

Reserved: 2023-07-11T08:16:54.092Z

Link: CVE-2023-37934

Vulnrichment

Updated: 2024-08-02T17:23:27.765Z

NVD

Status : Modified

Published: 2024-01-10T18:15:45.823

Modified: 2024-11-21T08:12:29.930

Link: CVE-2023-37934

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-770

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-37934", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2023-07-11T08:16:54.092Z", "datePublished": "2024-01-10T17:51:36.939Z", "dateUpdated": "2025-06-17T20:59:11.662Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiPAM", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "1.0.0", "lessThanOrEqual": "1.0.3", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "An allocation of resources without limits or throttling vulnerability [CWE-770] in FortiPAM 1.0 all versions allows an authenticated attacker to perform a denial of service attack via sending crafted HTTP or HTTPS requests in a high frequency."}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2024-01-10T17:51:36.939Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-770", "description": "Denial of service", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:F/RL:X/RC:C"}}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiPAM version 1.1.0 or above \n"}], "references": [{"name": "https://fortiguard.com/psirt/FG-IR-23-226", "url": "https://fortiguard.com/psirt/FG-IR-23-226"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:23:27.765Z"}, "title": "CVE Program Container", "references": [{"name": "https://fortiguard.com/psirt/FG-IR-23-226", "url": "https://fortiguard.com/psirt/FG-IR-23-226", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-37934", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-10T19:08:34.113124Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T20:59:11.662Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://fortiguard.com/psirt/FG-IR-23-226", "name": "https://fortiguard.com/psirt/FG-IR-23-226", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:23:27.765Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-37934", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-10T19:08:34.113124Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T20:49:36.815Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:F/RL:X/RC:C", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Fortinet", "product": "FortiPAM", "versions": [{"status": "affected", "version": "1.0.0", "versionType": "semver", "lessThanOrEqual": "1.0.3"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiPAM version 1.1.0 or above \n"}], "references": [{"url": "https://fortiguard.com/psirt/FG-IR-23-226", "name": "https://fortiguard.com/psirt/FG-IR-23-226"}], "descriptions": [{"lang": "en", "value": "An allocation of resources without limits or throttling vulnerability [CWE-770] in FortiPAM 1.0 all versions allows an authenticated attacker to perform a denial of service attack via sending crafted HTTP or HTTPS requests in a high frequency."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "Denial of service"}]}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2024-01-10T17:51:36.939Z"}}}, "cveMetadata": {"cveId": "CVE-2023-37934", "state": "PUBLISHED", "dateUpdated": "2025-06-17T20:59:11.662Z", "dateReserved": "2023-07-11T08:16:54.092Z", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "datePublished": "2024-01-10T17:51:36.939Z", "assignerShortName": "fortinet"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fortinet:fortipam:*:*:*:*:*:*:*:*", "matchCriteriaId": "5296F4A1-F228-451A-9B42-A418B7DCFFBA", "versionEndExcluding": "1.1.0", "versionStartIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An allocation of resources without limits or throttling vulnerability [CWE-770] in FortiPAM 1.0 all versions allows an authenticated attacker to perform a denial of service attack via sending crafted HTTP or HTTPS requests in a high frequency."}, {"lang": "es", "value": "Una vulnerabilidad de asignaci\u00f3n de recursos sin l\u00edmites o de limitaci\u00f3n [CWE-770] en FortiPAM 1.0 en todas las versiones permite a un atacante autenticado realizar un ataque de denegaci\u00f3n de servicio mediante el env\u00edo de solicitudes HTTP o HTTPS manipuladas con alta frecuencia."}], "id": "CVE-2023-37934", "lastModified": "2024-11-21T08:12:29.930", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "psirt@fortinet.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-10T18:15:45.823", "references": [{"source": "psirt@fortinet.com", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-23-226"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-23-226"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "psirt@fortinet.com", "type": "Secondary"}]}