CVE-2024-36508: Multiple arbitrary file deletion in the CLI
First published: Tue Feb 11 2025(Updated: )
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiManager and FortiAnalyzer CLI may allow any authenticated admin user with diagnose privileges to delete any file on the system.
Credit: psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiManager | >=7.4.0<7.4.2<7.2.5 | |
| Fortinet FortiAnalyzer | >=7.4.0<7.4.2<7.2.5 | |
| Fortinet FortiAnalyzer | >=7.4.0<=7.4.2 | |
| Fortinet FortiAnalyzer | >=7.2.0<=7.2.5 | |
| Fortinet FortiAnalyzer | >=7.0 | |
| Fortinet FortiAnalyzer | >=6.4 | |
| Fortinet FortiManager | >=7.4.0<=7.4.2 | |
| Fortinet FortiManager | >=7.2.0<=7.2.5 | |
| Fortinet FortiManager | >=7.0 | |
| Fortinet FortiManager | >=6.4 |
Remedy
Please upgrade to FortiManager version 7.4.3 or above Please upgrade to FortiManager version 7.2.6 or above Please upgrade to FortiAnalyzer version 7.4.3 or above Please upgrade to FortiAnalyzer version 7.2.6 or above
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-36508?
CVE-2024-36508 is classified as a medium severity vulnerability due to its potential impact on system confidentiality and integrity.
How do I fix CVE-2024-36508?
To fix CVE-2024-36508, upgrade FortiManager and FortiAnalyzer to versions 7.4.3 or later and 7.2.6 or later.
What types of systems are affected by CVE-2024-36508?
CVE-2024-36508 affects Fortinet FortiManager and FortiAnalyzer versions 7.4.0 through 7.4.2 and earlier than 7.2.5.
Who can exploit CVE-2024-36508?
An authenticated admin user with appropriate permissions can exploit CVE-2024-36508 due to improper path limitations.
What is the nature of the vulnerability in CVE-2024-36508?
CVE-2024-36508 is a path traversal vulnerability that allows attackers to access restricted directories on the affected systems.
- agent/remedy
- agent/type
- collector/fortiguard-psirt-latest
- source/FortiGuard
- alias/CVE-2024-36508
- agent/first-publish-date
- agent/title
- agent/references
- agent/softwarecombine
- agent/description
- collector/nvd-api
- source/NVD
- agent/severity
- agent/author
- agent/source
- agent/event
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/fortiguard-psirt
- vendor/fortinet
- canonical/fortinet fortimanager
- canonical/fortinet fortianalyzer
- version/fortinet fortianalyzer/7.4.0
- version/fortinet fortianalyzer/7.4.2
- version/fortinet fortianalyzer/7.2.0
- version/fortinet fortianalyzer/7.2.5
- version/fortinet fortianalyzer/7.0
- version/fortinet fortianalyzer/6.4
- version/fortinet fortimanager/7.4.0
- version/fortinet fortimanager/7.4.2
- version/fortinet fortimanager/7.2.0
- version/fortinet fortimanager/7.2.5
- version/fortinet fortimanager/7.0
- version/fortinet fortimanager/6.4