CVE-2024-35274 — Relative Path Traversal in Fortinet Fortianalyzer

CWE-23 — Relative Path Traversal CWE-22 — Path Traversal4 documents4 sources

Severity

2.3LOWNVD

EPSS

0.1%

top 81.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortianalyzer Fortinet Fortianalyzer BIG Data Fortinet Fortimanager

Timeline

PublishedNov 12

Description

An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in Fortinet FortiAnalyzer versions below 7.4.2, Fortinet FortiManager versions below 7.4.2 and Fortinet FortiAnalyzer-BigData version 7.4.0 and below 7.2.7 allows a privileged attacker with read write administrative privileges to create non-arbitrary files on a chosen directory via crafted CLI requests.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:NExploitability: 0.8 | Impact: 1.4

Affected Packages5 packages

▶NVDfortinet/fortianalyzer_big_data6.2.1 — 7.4.1

▶NVDfortinet/fortianalyzer6.2.0 — 7.4.3

▶CVEListV5fortinet/fortianalyzer7.4.0 — 7.4.2+4

▶NVDfortinet/fortimanager6.2.0 — 7.4.3

▶CVEListV5fortinet/fortimanager7.4.0 — 7.4.2+4

🔴Vulnerability Details

GHSA

GHSA-pjmr-ff79-h6xp: An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in Fortinet FortiAnalyzer versions below 7↗2024-11-12

▶

CVEList

CVE-2024-35274: An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in Fortinet FortiAnalyzer versions below 7↗2024-11-12

▶

📋Vendor Advisories

Fortinet

Path traversal vulnerability leading to file creation↗2024-11-12

▶