Details of VAR-202404-3219

ID

VAR-202404-3219

CVE

CVE-2024-31487

TITLE

fortinet's FortiSandbox Past traversal vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2024-015420

DESCRIPTION

A improper limitation of a pathname to a restricted directory ('path traversal') in Fortinet FortiSandbox version 4.4.0 through 4.4.4 and 4.2.0 through 4.2.6 and 4.0.0 through 4.0.5 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.0 through 3.0.7 and 2.5.0 through 2.5.2 and 2.4.0 through 2.4.1 may allows attacker to information disclosure via crafted http requests. fortinet's FortiSandbox Exists in a past traversal vulnerability.Information may be obtained

Trust: 1.62

sources: NVD: CVE-2024-31487 // JVNDB: JVNDB-2024-015420

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	4.4.5	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	4.2.7	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.4.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	2.4.0	Trust: 1.0
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	2.4.0 that's all 4.2.7	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	4.4.0 that's all 4.4.5	Trust: 0.8

sources: JVNDB: JVNDB-2024-015420 // NVD: CVE-2024-31487

CVSS

SEVERITY

CVSSV2

CVSSV3

psirt@fortinet.com:	CVE-2024-31487
value:	MEDIUM
Trust: 1.0
nvd@nist.gov:	CVE-2024-31487
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2024-31487
value:	MEDIUM
Trust: 0.8

psirt@fortinet.com:	CVE-2024-31487
baseSeverity:	MEDIUM
baseScore:	5.9
vectorString:	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.6
impactScore:	4.2
version:	3.1
Trust: 1.0
nvd@nist.gov:	CVE-2024-31487
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2024-31487
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2024-015420 // NVD: CVE-2024-31487 // NVD: CVE-2024-31487

PROBLEMTYPE DATA

problemtype:	CWE-22	Trust: 1.0
problemtype:	Path traversal (CWE-22) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-015420 // NVD: CVE-2024-31487

PATCH

title:

FG-IR-24-060

url:

https://fortiguard.com/psirt/FG-IR-24-060

Trust: 0.8

sources: JVNDB: JVNDB-2024-015420

EXTERNAL IDS

db:	NVD	id:	CVE-2024-31487	Trust: 2.6
db:	JVNDB	id:	JVNDB-2024-015420	Trust: 0.8

sources: JVNDB: JVNDB-2024-015420 // NVD: CVE-2024-31487

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-24-060	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2024-31487	Trust: 0.8

sources: JVNDB: JVNDB-2024-015420 // NVD: CVE-2024-31487

SOURCES

db:	JVNDB	id:	JVNDB-2024-015420
db:	NVD	id:	CVE-2024-31487

LAST UPDATE DATE

2024-12-25T23:13:21.147000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2024-015420	date:	2024-12-24T02:13:00
db:	NVD	id:	CVE-2024-31487	date:	2024-12-23T15:05:45.840

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2024-015420	date:	2024-12-24T00:00:00
db:	NVD	id:	CVE-2024-31487	date:	2024-04-09T15:15:31.753