CVE-2024-33504

Summary

A use of hard-coded cryptographic key to encrypt sensitive data vulnerability [CWE-321] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.9, 7.0 all versions, 6.4 all versions may allow an attacker with JSON API access permissions to decrypt some secrets even if the 'private-data-encryption' setting is enabled.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiManager7.6.0 <= 7.6.1affected
FortinetFortiManager7.4.0 <= 7.4.5affected
FortinetFortiManager7.2.0 <= 7.2.9affected
FortinetFortiManager7.0.0 <= 7.0.13affected
FortinetFortiManager6.4.0 <= 6.4.15affected

Weaknesses

  • CWE-321: Information disclosure

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References