CVE-2024-33502: Arbitrary file delete on firmware import image feature
First published: Tue Jan 14 2025(Updated: )
A relative path traversal vulnerability [CWE-23] in FortiManager administrative interface may allow a privileged attacker to delete files from the underlying filesystem via crafted HTTP or HTTPs requests.
Credit: psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiAnalyzer | >=7.4.0<=7.4.2 | |
| Fortinet FortiAnalyzer | >=7.2.0<=7.2.5 | |
| Fortinet FortiAnalyzer | >=7.0 | |
| Fortinet FortiAnalyzer | >=6.4 | |
| Fortinet FortiAnalyzer | >=6.2 | |
| Fortinet FortiAnalyzer | >=6.0 | |
| Fortinet FortiManager | >=7.4.0<=7.4.2 | |
| Fortinet FortiManager | >=7.2.0<=7.2.5 | |
| Fortinet FortiManager | >=7.0 | |
| Fortinet FortiManager | >=6.4 | |
| Fortinet FortiManager | >=6.2 | |
| Fortinet FortiManager | >=6.0 | |
| Fortinet FortiAnalyzer | >=6.0.0<7.2.6 | |
| Fortinet FortiAnalyzer | >=7.4.0<7.4.3 | |
| Fortinet FortiManager | >=6.0.0<7.2.6 | |
| Fortinet FortiManager | >=7.4.0<7.4.3 |
Remedy
Please upgrade to FortiManager version 7.4.3 or above Please upgrade to FortiManager version 7.2.6 or above Please upgrade to FortiAnalyzer version 7.4.3 or above Please upgrade to FortiAnalyzer version 7.2.6 or above
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-33502?
CVE-2024-33502 has a high severity due to its potential impact allowing privileged attackers to delete files from the filesystem.
How do I fix CVE-2024-33502?
To fix CVE-2024-33502, update FortiManager and FortiAnalyzer software to version 7.4.3 or later for affected versions.
Which versions of FortiManager are affected by CVE-2024-33502?
CVE-2024-33502 affects FortiManager versions below 7.4.3, especially 7.0 and earlier.
Which versions of FortiAnalyzer are impacted by CVE-2024-33502?
CVE-2024-33502 impacts FortiAnalyzer versions below 7.4.3, particularly those below 7.2.6.
What type of vulnerability is CVE-2024-33502?
CVE-2024-33502 is classified as a relative path traversal vulnerability, allowing potential unauthorized file deletion.
- agent/remedy
- agent/type
- collector/fortiguard-psirt-latest
- source/FortiGuard
- alias/CVE-2024-33502
- agent/first-publish-date
- agent/title
- agent/references
- agent/description
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/source
- agent/severity
- agent/last-modified-date
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/fortiguard-psirt
- vendor/fortinet
- canonical/fortinet fortianalyzer
- version/fortinet fortianalyzer/6.0.0
- version/fortinet fortianalyzer/7.4.0
- canonical/fortinet fortimanager
- version/fortinet fortimanager/6.0.0
- version/fortinet fortimanager/7.4.0
- version/fortinet fortianalyzer/7.4.2
- version/fortinet fortianalyzer/7.2.0
- version/fortinet fortianalyzer/7.2.5
- version/fortinet fortianalyzer/7.0
- version/fortinet fortianalyzer/6.4
- version/fortinet fortianalyzer/6.2
- version/fortinet fortianalyzer/6.0
- version/fortinet fortimanager/7.4.2
- version/fortinet fortimanager/7.2.0
- version/fortinet fortimanager/7.2.5
- version/fortinet fortimanager/7.0
- version/fortinet fortimanager/6.4
- version/fortinet fortimanager/6.2
- version/fortinet fortimanager/6.0