CVE-2024-40585

Summary

An insertion of sensitive information into log file vulnerabilities [CWE-532] in FortiManager version 7.4.0, version 7.2.3 and below, version 7.0.8 and below, version 6.4.12 and below, version 6.2.11 and below and FortiAnalyzer version 7.4.0, version 7.2.3 and below, version 7.0.8 and below, version 6.4.12 and below, version 6.2.11 and below eventlog may allow any low privileged user with access to event log section to retrieve certificate private key and encrypted password logged as system log.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiAnalyzer7.4.0affected
FortinetFortiAnalyzer7.2.0 <= 7.2.3affected
FortinetFortiAnalyzer7.0.0 <= 7.0.8affected
FortinetFortiAnalyzer6.4.0 <= 6.4.12affected
FortinetFortiAnalyzer6.2.0 <= 6.2.11affected
FortinetFortiManager7.4.0affected
FortinetFortiManager7.2.0 <= 7.2.3affected
FortinetFortiManager7.0.0 <= 7.0.8affected
FortinetFortiManager6.4.0 <= 6.4.12affected
FortinetFortiManager6.2.0 <= 6.2.11affected

Weaknesses

  • CWE-532: Information disclosure

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References