CVE-2024-45324

Summary

A use of externally-controlled format string vulnerability [CWE-134] in FortiOS version 7.4.0 through 7.4.4, version 7.2.0 through 7.2.9, version 7.0.0 through 7.0.15 and before 6.4.15, FortiProxy version 7.4.0 through 7.4.6, version 7.2.0 through 7.2.12 and before 7.0.19, FortiPAM version 1.4.0 through 1.4.2 and before 1.3.1, FortiSRA version 1.4.0 through 1.4.2 and before 1.3.1 and FortiWeb version 7.4.0 through 7.4.5, version 7.2.0 through 7.2.10 and before 7.0.10 allows a privileged attacker to execute unauthorized code or commands via specially crafted HTTP or HTTPS commands.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiPAM1.4.0 <= 1.4.2affected
FortinetFortiPAM1.3.0 <= 1.3.1affected
FortinetFortiPAM1.2.0affected
FortinetFortiPAM1.1.0 <= 1.1.2affected
FortinetFortiPAM1.0.0 <= 1.0.3affected
FortinetFortiWeb7.6.0affected
FortinetFortiWeb7.4.0 <= 7.4.5affected
FortinetFortiWeb7.2.0 <= 7.2.10affected
FortinetFortiWeb7.0.0 <= 7.0.10affected
FortinetFortiProxy7.6.0affected
FortinetFortiProxy7.4.0 <= 7.4.6affected
FortinetFortiProxy7.2.0 <= 7.2.12affected
FortinetFortiProxy7.0.0 <= 7.0.19affected
FortinetFortiSRA1.4.0 <= 1.4.2affected
FortinetFortiOS7.4.0 <= 7.4.4affected
FortinetFortiOS7.2.0 <= 7.2.9affected
FortinetFortiOS7.0.0 <= 7.0.15affected
FortinetFortiOS6.4.0 <= 6.4.15affected
FortinetFortiOS6.2.0 <= 6.2.16affected

Weaknesses

  • CWE-134: Execute unauthorized code or commands

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References