CVE-2024-35277

A missing authentication for critical function in Fortinet FortiPortal version 6.0.0 through 6.0.15, FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14 allows attacker to access to the configuration of the managed devices by sending specifically crafted packets

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://fortiguard.fortinet.com/psirt/FG-IR-24-135	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:fortinet:fortimanager::::::::
	cpe:2.3:a:fortinet:fortimanager::::::::
	cpe:2.3:a:fortinet:fortimanager::::::::
	cpe:2.3:a:fortinet:fortimanager::::::::
	cpe:2.3:a:fortinet:fortimanager_cloud::::::::
	cpe:2.3:a:fortinet:fortimanager_cloud::::::::
	cpe:2.3:a:fortinet:fortimanager_cloud::::::::

History

31 Jan 2025, 17:08

Type	Values Removed	Values Added
First Time		Fortinet fortimanager Fortinet Fortinet fortimanager Cloud
References	~~() https://fortiguard.fortinet.com/psirt/FG-IR-24-135 -~~	() https://fortiguard.fortinet.com/psirt/FG-IR-24-135 - Vendor Advisory
CPE		cpe:2.3:a:fortinet:fortimanager_cloud:::::::: cpe:2.3:a:fortinet:fortimanager::::::::
Summary		(es) La falta de autenticación para una función crítica en Fortinet FortiPortal versión 6.0.0 a 6.0.15, FortiManager versión 7.4.0 a 7.4.2, 7.2.0 a 7.2.5, 7.0.0 a 7.0.12, 6.4.0 a 6.4.14 permite a un atacante acceder a la configuración de los dispositivos administrados mediante el envío específico de paquetes manipulados.

14 Jan 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-14 14:15

Updated : 2025-01-31 17:08

NVD link : CVE-2024-35277

Mitre link : CVE-2024-35277

CVE.ORG link : CVE-2024-35277

JSON object : View

Products Affected

fortinet

fortimanager
fortimanager_cloud

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2024-35277", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@fortinet.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-01-14T14:15:30.130", "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-135", "tags": ["Vendor Advisory"], "source": "psirt@fortinet.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "psirt@fortinet.com", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "A missing authentication for critical function in Fortinet FortiPortal version 6.0.0 through 6.0.15, FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14 allows attacker to access to the configuration of the managed devices by sending specifically crafted packets"}, {"lang": "es", "value": "La falta de autenticaci\u00f3n para una funci\u00f3n cr\u00edtica en Fortinet FortiPortal versi\u00f3n 6.0.0 a 6.0.15, FortiManager versi\u00f3n 7.4.0 a 7.4.2, 7.2.0 a 7.2.5, 7.0.0 a 7.0.12, 6.4.0 a 6.4.14 permite a un atacante acceder a la configuraci\u00f3n de los dispositivos administrados mediante el env\u00edo espec\u00edfico de paquetes manipulados."}], "lastModified": "2025-01-31T17:08:01.087", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D2AD66B0-9C99-4F83-80AA-B54E6354ADFD", "versionEndExcluding": "6.4.15", "versionStartIncluding": "6.4.0"}, {"criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "37456E27-0EE2-4AF8-B92F-A5284FEC0409", "versionEndExcluding": "7.0.13", "versionStartIncluding": "7.0.0"}, {"criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "605795FE-4D3E-48D4-B2E6-AED4C79B405F", "versionEndExcluding": "7.2.6", "versionStartIncluding": "7.2.0"}, {"criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E4490512-36ED-4212-9D34-D74739A56E84", "versionEndExcluding": "7.4.3", "versionStartIncluding": "7.4.0"}, {"criteria": "cpe:2.3:a:fortinet:fortimanager_cloud:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "29B3A5F2-3121-4902-BBB6-8B4D07767F77", "versionEndExcluding": "7.0.13", "versionStartIncluding": "7.0.1"}, {"criteria": "cpe:2.3:a:fortinet:fortimanager_cloud:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4CD97EEF-BD2E-4442-A3E8-9C9489439404", "versionEndExcluding": "7.2.7", "versionStartIncluding": "7.2.1"}, {"criteria": "cpe:2.3:a:fortinet:fortimanager_cloud:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7F0FB078-A95E-4AFC-B4A9-A8C43E997A78", "versionEndExcluding": "7.4.3", "versionStartIncluding": "7.4.1"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@fortinet.com"}