CVE-2024-40593

Summary

A key management errors vulnerability in Fortinet FortiAnalyzer 7.4.0 through 7.4.2, FortiAnalyzer 7.2.0 through 7.2.5, FortiAnalyzer 7.0 all versions, FortiAnalyzer 6.4 all versions, FortiManager 7.4.0 through 7.4.2, FortiManager 7.2.0 through 7.2.5, FortiManager 7.0 all versions, FortiManager 6.4 all versions, FortiOS 7.6.0, FortiOS 7.4.4, FortiOS 7.2.7, FortiOS 7.0.14, FortiPortal 6.0 all versions may allow an authenticated admin to retrieve a certificate's private key via the device's admin shell.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiAnalyzer7.4.0 <= 7.4.2affected
FortinetFortiAnalyzer7.2.0 <= 7.2.5affected
FortinetFortiAnalyzer7.0.0 <= 7.0.15affected
FortinetFortiAnalyzer6.4.0 <= 6.4.15affected
FortinetFortiPortal6.0.0 <= 6.0.15affected
FortinetFortiOS7.6.0affected
FortinetFortiOS7.4.4affected
FortinetFortiOS7.2.7affected
FortinetFortiOS7.0.14affected
FortinetFortiManager7.4.0 <= 7.4.2affected
FortinetFortiManager7.2.0 <= 7.2.5affected
FortinetFortiManager7.0.0 <= 7.0.15affected
FortinetFortiManager6.4.0 <= 6.4.15affected

Weaknesses

  • CWE-320: Improper access control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References