Details of VAR-202404-3527

ID

VAR-202404-3527

CVE

CVE-2024-23671

TITLE

fortinet's FortiSandbox Past traversal vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2024-015435

DESCRIPTION

A improper limitation of a pathname to a restricted directory ('path traversal') in Fortinet FortiSandbox version 4.4.0 through 4.4.3 and 4.2.0 through 4.2.6 and 4.0.0 through 4.0.4 allows attacker to execute unauthorized code or commands via crafted HTTP requests. fortinet's FortiSandbox Exists in a past traversal vulnerability.Information is tampered with and service operation is interrupted (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2024-23671 // JVNDB: JVNDB-2024-015435

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.2.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	4.4.4	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	4.0.5	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.4.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.0.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	4.2.7	Trust: 1.0
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	4.0.0 that's all 4.0.5	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	4.2.0 that's all 4.2.7	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	4.4.0 that's all 4.4.4	Trust: 0.8

sources: JVNDB: JVNDB-2024-015435 // NVD: CVE-2024-23671

CVSS

SEVERITY

CVSSV2

CVSSV3

psirt@fortinet.com:	CVE-2024-23671
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2024-23671
value:	HIGH
Trust: 1.0
NVD:	CVE-2024-23671
value:	HIGH
Trust: 0.8

psirt@fortinet.com:	CVE-2024-23671
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.2
version:	3.1
Trust: 2.0
NVD:	CVE-2024-23671
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2024-015435 // NVD: CVE-2024-23671 // NVD: CVE-2024-23671

PROBLEMTYPE DATA

problemtype:	CWE-22	Trust: 1.0
problemtype:	Path traversal (CWE-22) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-015435 // NVD: CVE-2024-23671

PATCH

title:

FG-IR-23-454

url:

https://fortiguard.com/psirt/FG-IR-23-454

Trust: 0.8

sources: JVNDB: JVNDB-2024-015435

EXTERNAL IDS

db:	NVD	id:	CVE-2024-23671	Trust: 2.6
db:	JVNDB	id:	JVNDB-2024-015435	Trust: 0.8

sources: JVNDB: JVNDB-2024-015435 // NVD: CVE-2024-23671

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-23-454	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2024-23671	Trust: 0.8

sources: JVNDB: JVNDB-2024-015435 // NVD: CVE-2024-23671

SOURCES

db:	JVNDB	id:	JVNDB-2024-015435
db:	NVD	id:	CVE-2024-23671

LAST UPDATE DATE

2024-12-28T22:57:07.826000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2024-015435	date:	2024-12-24T06:29:00
db:	NVD	id:	CVE-2024-23671	date:	2024-12-23T15:04:06.610

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2024-015435	date:	2024-12-24T00:00:00
db:	NVD	id:	CVE-2024-23671	date:	2024-04-09T15:15:31.560