CVE-2024-33502

Summary

An improper limitation of a pathname to a restricted directory ('path traversal') in Fortinet FortiManager, FortiAnalyzer versions 7.4.0 through 7.4.2 and 7.2.0 through 7.2.5 and 7.0.0 through 7.0.12 and 6.4.0 through 6.4.14 and 6.2.0 through 6.2.12 and 6.0.0 through 6.0.12 allows attacker to execute unauthorized code or commands via crafted HTTP or HTTPs requests.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiManager7.4.0 <= 7.4.2affected
FortinetFortiManager7.2.0 <= 7.2.5affected
FortinetFortiManager7.0.0 <= 7.0.13affected
FortinetFortiManager6.4.0 <= 6.4.15affected
FortinetFortiManager6.2.0 <= 6.2.13affected
FortinetFortiManager6.0.0 <= 6.0.12affected
FortinetFortiAnalyzer7.4.0 <= 7.4.2affected
FortinetFortiAnalyzer7.2.0 <= 7.2.5affected
FortinetFortiAnalyzer7.0.0 <= 7.0.13affected
FortinetFortiAnalyzer6.4.0 <= 6.4.15affected
FortinetFortiAnalyzer6.2.0 <= 6.2.13affected
FortinetFortiAnalyzer6.0.0 <= 6.0.12affected

Weaknesses

  • CWE-22: Execute unauthorized code or commands

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References