CVE-2024-40585

CWE-532 — Log File Information Exposure4 documents4 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 68.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortianalyzer Fortinet Fortimanager

Timeline

PublishedMar 14

Description

An insertion of sensitive information into log file vulnerabilities [CWE-532] in FortiManager version 7.4.0, version 7.2.3 and below, version 7.0.8 and below, version 6.4.12 and below, version 6.2.11 and below and FortiAnalyzer version 7.4.0, version 7.2.3 and below, version 7.0.8 and below, version 6.4.12 and below, version 6.2.11 and below eventlog may allow any low privileged user with access to event log section to retrieve certificate private key and encrypted password logged as system log.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶NVDfortinet/fortimanager6.2.0 — 7.0.9+2

▶NVDfortinet/fortianalyzer6.2.0 — 6.2.12+4

▶CVEListV5fortinet/fortimanager7.2.0 — 7.2.3+4

▶CVEListV5fortinet/fortianalyzer7.2.0 — 7.2.3+4

🔴Vulnerability Details

CVEList

CVE-2024-40585: An insertion of sensitive information into log file vulnerabilities [CWE-532] in FortiManager version 7↗2025-03-14

▶

GHSA

GHSA-wjm4-q3m2-wf4h: An insertion of sensitive information into log file vulnerabilities [CWE-532] in FortiManager version 7↗2025-03-14

▶

📋Vendor Advisories

Fortinet

Insertion of sensitive information into Event log↗2025-03-14

▶