CVE-2024-54021

Name of the Vulnerable Software and Affected Versions Fortinet FortiOS versions 7.2.0 through 7.6.0 FortiProxy versions 7.2.0 through 7.4.5

Description The issue is related to an improper neutralization of crlf sequences in http headers, also known as 'http response splitting'. This allows an attacker to execute unauthorized code or commands via a crafted HTTP header. A remote unauthenticated attacker may bypass the file filter via a crafted HTTP header.

Recommendations For Fortinet FortiOS versions 7.2.0 through 7.6.0, update to a version that fixes the improper neutralization of crlf sequences in http headers. For FortiProxy versions 7.2.0 through 7.4.5, update to a version that fixes the improper neutralization of crlf sequences in http headers. As a temporary workaround, consider restricting access to crafted HTTP headers to minimize the risk of exploitation.