CVE-2024-54021 — HTTP Request/Response Splitting in Fortinet Fortios

CWE-113 — HTTP Request/Response Splitting CWE-436 — Interpretation Conflict4 documents4 sources

Severity

5.8MEDIUMNVD

CNA6.5

EPSS

0.2%

top 64.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios Fortinet Fortiproxy

Timeline

PublishedJan 14

Description

An Improper Neutralization of CRLF Sequences in HTTP Headers ('http response splitting') vulnerability [CWE-113] in Fortinet FortiOS 7.2.0 through 7.6.0, FortiProxy 7.2.0 through 7.4.5 may allow a remote unauthenticated attacker to bypass the file filter via crafted HTTP headers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶NVDfortinet/fortios7.2.0 — 7.2.9+2

▶NVDfortinet/fortiproxy7.2.0 — 7.2.12+1

▶CVEListV5fortinet/fortios7.4.0 — 7.4.4+2

▶CVEListV5fortinet/fortiproxy7.4.0 — 7.4.5+1

🔴Vulnerability Details

CVEList

CVE-2024-54021: An Improper Neutralization of CRLF Sequences in HTTP Headers ('http response splitting') vulnerability [CWE-113] in Fortinet FortiOS 7↗2025-01-14

▶

GHSA

GHSA-v8p8-w9q2-q67j: An improper neutralization of crlf sequences in http headers ('http response splitting') in Fortinet FortiOS 7↗2025-01-14

▶

📋Vendor Advisories

Fortinet

File-Filter Bypass in Explicit Web Proxy Policy↗2025-01-14

▶