CVE-2024-33504

EUVD-2024-31242
A use of hard-coded cryptographic key to encrypt sensitive data vulnerability [CWE-321] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.9, 7.0 all versions, 6.4 all versions may allow an attacker with JSON API access permissions to decrypt some secrets even if the 'private-data-encryption' setting is enabled.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.1 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
fortinetCNA
3.9 LOW
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N/E:P/RL:X/RC:C
Base Score
CVSS 3.x
EPSS Score
Percentile: 6%
Affected Products (NVD)
VendorProductVersion
fortinetfortimanager
6.4.0 ≤
𝑥
< 7.2.10
fortinetfortimanager
7.4.0 ≤
𝑥
< 7.4.6
fortinetfortimanager
7.6.0 ≤
𝑥
< 7.6.2
fortinetfortimanager_cloud
6.4.1 ≤
𝑥
< 7.2.9
fortinetfortimanager_cloud
7.4.1 ≤
𝑥
< 7.4.6
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://fortiguard.fortinet.com/psirt/FG-IR-24-094
https://github.com/orangecertcc/security-research/security/advisories/GHSA-pgc3-m5p5-4vc3