CVE-2024-48884
Summary
| CVE | CVE-2024-48884 |
|---|---|
| State | PUBLISHED |
| Assigner | fortinet |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-01-14 14:15:32 UTC |
| Updated | 2026-07-08 14:16:53 UTC |
| Description | A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiManager 7.6.0 through 7.6.1, FortiManager 7.4.1 through 7.4.3, FortiManager Cloud 7.4.1 through 7.4.3, FortiOS 7.6.0, FortiOS 7.4.0 through 7.4.4, FortiOS 7.2.0 through 7.2.9, FortiOS 7.0.0 through 7.0.15, FortiOS 6.4.0 through 6.4.15, FortiProxy 7.4.0 through 7.4.5, FortiProxy 7.2.0 through 7.2.11, FortiProxy 7.0.0 through 7.0.18, FortiProxy 2.0 all versions, FortiProxy 1.2 all versions, FortiProxy 1.1 all versions, FortiProxy 1.0 all versions may allow a remote authenticated attacker with access to the security fabric interface and port to write arbitrary files or a remote unauthenticated attacker to delete an arbitrary folder |
Risk And Classification
Primary CVSS: v3.1 9.1 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Problem Types: CWE-22 | CWE-22 Escalation of privilege
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | CVSS | 7.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Fortinet | Fortimanager | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Fortinet | FortiManager | affected 7.6.0 7.6.1 semver | Not specified |
| CNA | Fortinet | FortiManager | affected 7.4.1 7.4.3 semver | Not specified |
| CNA | Fortinet | FortiProxy | affected 7.4.0 7.4.5 semver | Not specified |
| CNA | Fortinet | FortiProxy | affected 7.2.0 7.2.11 semver | Not specified |
| CNA | Fortinet | FortiProxy | affected 7.0.0 7.0.18 semver | Not specified |
| CNA | Fortinet | FortiProxy | affected 2.0.0 2.0.14 semver | Not specified |
| CNA | Fortinet | FortiProxy | affected 1.2.0 1.2.13 semver | Not specified |
| CNA | Fortinet | FortiProxy | affected 1.1.0 1.1.6 semver | Not specified |
| CNA | Fortinet | FortiProxy | affected 1.0.0 1.0.7 semver | Not specified |
| CNA | Fortinet | FortiOS | affected 7.6.0 | Not specified |
| CNA | Fortinet | FortiOS | affected 7.4.0 7.4.4 semver | Not specified |
| CNA | Fortinet | FortiOS | affected 7.2.0 7.2.9 semver | Not specified |
| CNA | Fortinet | FortiOS | affected 7.0.0 7.0.15 semver | Not specified |
| CNA | Fortinet | FortiOS | affected 6.4.0 6.4.15 semver | Not specified |
| CNA | Fortinet | FortiManager Cloud | affected 7.4.1 7.4.3 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| fortiguard.fortinet.com/psirt/FG-IR-24-259 | [email protected] | fortiguard.fortinet.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
Solutions
CNA: Upgrade to upcoming FortiAuthenticator version 7.0.0 or above Upgrade to FortiOS version 7.6.1 or above Upgrade to FortiOS version 7.4.5 or above Upgrade to FortiOS version 7.2.10 or above Upgrade to FortiOS version 7.0.16 or above Upgrade to FortiOS version 6.4.16 or above Upgrade to FortiWeb version 7.6.1 or above Upgrade to FortiWeb version 7.4.5 or above Upgrade to FortiRecorder version 7.2.2 or above Upgrade to FortiRecorder version 7.0.5 or above Upgrade to FortiManager Cloud version 7.4.4 or above Upgrade to FortiProxy version 7.4.6 or above Upgrade to FortiProxy version 7.2.12 or above Upgrade to FortiProxy version 7.0.19 or above Upgrade to FortiVoice version 7.2.0 or above Upgrade to FortiVoice version 7.0.5 or above Upgrade to FortiVoice version 6.4.10 or above Fortinet remediated this issue in FortiSASE version 24.3.c and hence customers do not need to perform any action. Upgrade to FortiManager version 7.6.2 or above Upgrade to FortiManager version 7.4.4 or above