PT-2024-7305 · Fortinet · Fortianalyzer

Published

2024-10-07

Updated

2024-10-19

CVE-2024-45330

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: Fortinet FortiAnalyzer versions 7.2.2 through 7.2.5 Fortinet FortiAnalyzer versions 7.4.0 through 7.4.3

Description: The issue is related to the use of an externally-controlled format string in the FortiAnalyzer event tracking and analysis tool. This could allow an attacker to escalate privileges via specially crafted requests, potentially enabling the execution of arbitrary code or commands.

Recommendations: For Fortinet FortiAnalyzer versions 7.2.2 through 7.2.5, update to a version outside of this range to mitigate the risk. For Fortinet FortiAnalyzer versions 7.4.0 through 7.4.3, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the fazsvcd daemon to minimize the risk of exploitation.

Fix

Use of Externally-Controlled Format String

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-134

Related Identifiers

BDU:2024-08659

CVE-2024-45330

Affected Products

Fortianalyzer

PT-2024-7305 · Fortinet · Fortianalyzer

CVE-2024-45330

Weakness Enumeration

Related Identifiers

Affected Products

References · 9