CVE-2024-32116

Relative Path Traversal (CWE-23)

Published: Nov 12, 2024 / Updated: 7d ago

010
CVSS 5.1EPSS 0.04%Medium
CVE info copied to clipboard

Multiple relative path traversal vulnerabilities [CWE-23] in Fortinet FortiManager version 7.4.0 through 7.4.2 and before 7.2.5, FortiAnalyzer version 7.4.0 through 7.4.2 and before 7.2.5 and FortiAnalyzer-BigData version 7.4.0 and before 7.2.7 allows a privileged attacker to delete files from the underlying filesystem via crafted CLI requests.

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-32116

Nov 12, 2024 at 7:15 PM
CVSS

A CVSS base score of 5.1 has been assigned.

Nov 12, 2024 at 7:21 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-32116. See article

Nov 12, 2024 at 7:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Nov 12, 2024 at 7:24 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10.1%)

Nov 13, 2024 at 5:07 PM
Static CVE Timeline Graph

Affected Systems

Fortinet/fortimanager_firmware
+null more

Attack Patterns

CAPEC-139: Relative Path Traversal
+null more

News

Arbitrary file deletion in FortiManager
The vulnerability allows a local user to delete arbitrary files on the system. This security bulletin contains one low risk vulnerability.
NA - CVE-2024-32116 - Multiple relative path traversal...
Multiple relative path traversal vulnerabilities [CWE-23] in Fortinet FortiManager version 7.4.0 through 7.4.2 and before 7.2.5, FortiAnalyzer version 7.4.0 through 7.4.2 and before 7.2.5 and...
CVE-2024-32116
Multiple relative path traversal vulnerabilities [CWE-23] in Fortinet FortiManager version 7.4.0 through 7.4.2 and before 7.2.5, FortiAnalyzer version 7.4.0 through 7.4.2 and before 7.2.5 and FortiAnalyzer-BigData version 7.4.0 and before 7.2.7 allows a privileged attacker to delete files from the underlying filesystem via crafted CLI...
CVE-2024-32116 | Fortinet FortiAnalyzer/FortiManager up to 6.2.13/6.4.15/7.0.13/7.2.5/7.4.2 CLI Request path traversal (FG-IR-24-099)
A vulnerability was found in Fortinet FortiAnalyzer and FortiManager up to 6.2.13/6.4.15/7.0.13/7.2.5/7.4.2 . It has been classified as problematic . This affects an unknown part of the component CLI Request Handler . The manipulation leads to relative path traversal. This vulnerability is uniquely identified as CVE-2024-32116 . Local access is required to approach this attack. There is no exploit available. It is recommended to upgrade the affected component.
Happy # PatchTuesday from Fortinet : FG-IR-24-115 CVE-2024-32117 (4.9 medium) Arbitrary file read in administrative interface (FortiAnalyzer) FG-IR-24-180 CVE-2024-36509 (4.2 medium) Exposure of password hashes to read-only admin (FortiWeb) FG-IR-24-022 CVE-2024-40592 (7.5 high) FortiClientMacOS - Missing signature verification FG-IR-24-032 CVE-2024-26011 (5.3 medium) FortiOS - Improper authentication in fgfmd FG-IR-23-475 CVE-2023-50176 (7.1 high) FortiOS - SSLVPN session hijacking using SAML authentication FG-IR-24-125 CVE-2024-33505 (5.6 medium) Heap buffer overflow in httpd (FortiAnalyzer) FG-IR-23-448 CVE-2023-47543 (5.4 medium) Insecure Direct Object Reference over API endpoints (FortiPortal) FG-IR-23-267 CVE-2023-44255 (4.1 medium) Lack of capacity to filter logs by administrator access (FortiAnalyzer) FG-IR-24-199 CVE-2024-47574 (7.8 high) Named Pipes Improper Access Control (FortiClientWindows) FG-IR-24-116 CVE-2024-32118 (6.7 medium) OS command injection in CLI command (FortiClientWindows) FG-IR-24-205 CVE-2024-36507 (7.3 high) Online Installer DLL Hijacking FG-IR-24-099 CVE-2024-32116 (5.1 medium) Path traversal vulnerability in CLI commands (FortiAnalyzer) FG-IR-24-179 CVE-2024-35274 (2.3 low) Path traversal vulnerability leading to file creation (FortiAnalyzer) FG-IR-24-144 CVE-2024-36513 (8.2 high) Privilege escalation via lua auto patch function (FortiClientWindows) Fortinet pisses me off because I have to check each individual CVSS score for the base, not the temporal. No mention of exploitation. # vulnerability # fortinet # fortianalyzer # fortiweb # fortios # fortiportal # cve # infosec # cybersecurity
See 4 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:None
Integrity:Low
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI