CVE-2024-23666

EUVD-2024-21139

12.11.2024, 19:15

A client-side enforcement of server-side security in Fortinet FortiAnalyzer-BigData 
at least version 7.4.0 and 7.2.0 through 7.2.6 and 7.0.1 through 7.0.6 and 6.4.5 through 6.4.7 and 6.2.5, FortiManager version 7.4.0 through 7.4.1 and 7.2.0 through 7.2.4 and 7.0.0 through 7.0.11 and 6.4.0 through 6.4.14, FortiAnalyzer version 7.4.0 through 7.4.1 and 7.2.0 through 7.2.4 and 7.0.0 through 7.0.11 and 6.4.0 through 6.4.14 allows attacker to improper access control via crafted requests.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
fortinet	CNA	7.1 HIGH	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:X

Base Score

CVSS 3.x

EPSS Score

Percentile: 91%

Affected Products (NVD)

Vendor	Product	Version
fortinet	fortianalyzer	6.4.0 ≤ 𝑥 < 6.4.15
fortinet	fortianalyzer	7.0.0 ≤ 𝑥 < 7.0.13
fortinet	fortianalyzer	7.2.0 ≤ 𝑥 < 7.2.6
fortinet	fortianalyzer	7.4.0 ≤ 𝑥 < 7.4.3
fortinet	fortianalyzer_big_data	6.2.1 ≤ 𝑥 < 7.2.7
fortinet	fortianalyzer_big_data	7.4.0
fortinet	fortimanager	6.4.0 ≤ 𝑥 < 6.4.15
fortinet	fortimanager	7.0.0 ≤ 𝑥 < 7.0.13
fortinet	fortimanager	7.2.0 ≤ 𝑥 < 7.2.6
fortinet	fortimanager	7.4.0 ≤ 𝑥 < 7.4.3

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-602 - Client-Side Enforcement of Server-Side Security
The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

References

https://fortiguard.fortinet.com/psirt/FG-IR-23-396