CVE-2024-45331
Published: 16 January 2025
Description
A incorrect privilege assignment in Fortinet FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, FortiManager versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, FortiAnalyzer Cloud versions 7.4.1 through 7.4.2, 7.2.1 through 7.2.6, 7.0.1 through 7.0.13, 6.4.1 through 6.4.7 allows attacker to escalate privilege via specific shell commands
Security Summary
CVE-2024-45331 is an incorrect privilege assignment vulnerability (CWE-266) present in multiple Fortinet products. It affects FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, and 6.4.0 through 6.4.15; FortiManager versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, and 6.4.0 through 6.4.15; and FortiAnalyzer Cloud versions 7.4.1 through 7.4.2, 7.2.1 through 7.2.6, 7.0.1 through 7.0.13, and 6.4.1 through 6.4.7. The flaw enables privilege escalation when an attacker executes specific shell commands, as disclosed in the NVD on 2025-01-16.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L), provided they have local access (AV:L) and user interaction is possible (UI:R). Successful exploitation allows escalation of privileges, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U), earning a CVSS v3.1 base score of 7.3.
Mitigation guidance is available in the Fortinet PSIRT advisory FG-IR-24-127 at https://fortiguard.fortinet.com/psirt/FG-IR-24-127.
Details
- CWE(s)