CVE-2024-36512

Name of the Vulnerable Software and Affected Versions Fortinet FortiManager, FortiAnalyzer versions 6.2.10 through 6.2.13 Fortinet FortiManager, FortiAnalyzer versions 7.0.2 through 7.0.12 Fortinet FortiManager, FortiAnalyzer versions 7.2.0 through 7.2.5 Fortinet FortiManager, FortiAnalyzer versions 7.4.0 through 7.4.3

Description The issue is related to an improper limitation of a pathname to a restricted directory, also known as 'path traversal', in Fortinet FortiManager and FortiAnalyzer. This allows an attacker to execute unauthorized code or commands via crafted HTTP or HTTPS requests. The vulnerability can be exploited by sending specially formed requests, enabling the attacker to write arbitrary files and execute arbitrary code.

Recommendations For versions 6.2.10 through 6.2.13, update to a version outside of this range to mitigate the risk. For versions 7.0.2 through 7.0.12, update to a version outside of this range to mitigate the risk. For versions 7.2.0 through 7.2.5, update to a version outside of this range to mitigate the risk. For versions 7.4.0 through 7.4.3, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the vulnerable interface until a patch is available. Avoid using the vulnerable pathway in the affected HTTP or HTTPS requests until the issue is resolved.