CVE-2024-32117: 
Fortinet FortiManager vulnerability analysis and mitigation

An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability was discovered in Fortinet FortiManager version 7.4.0 through 7.4.2 and below 7.2.5, FortiAnalyzer version 7.4.0 through 7.4.2 and below 7.2.5, and FortiAnalyzer-BigData version 7.4.0 and below 7.2.7. The vulnerability was internally discovered and reported by Théo Leleu of Fortinet product security team on November 12, 2024 (Fortinet Advisory).

The vulnerability (CVE-2024-32117) allows a privileged attacker to read arbitrary files from the underlying system via crafted HTTP or HTTPs requests. It has been assigned a CVSS v3.1 Base Score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, high privileges required, no user interaction needed, unchanged scope, high confidentiality impact, and no impact on integrity or availability (NVD).

The primary impact of this vulnerability is information disclosure, potentially allowing privileged attackers to access sensitive files on the affected systems through path traversal techniques (Fortinet Advisory).

Fortinet has released patches for the affected products. Users should upgrade FortiManager to version 7.4.3 or above (for 7.4.x) or 7.2.6 or above (for 7.2.x), FortiAnalyzer to version 7.4.3 or above (for 7.4.x) or 7.2.6 or above (for 7.2.x), and FortiAnalyzer-BigData to version 7.4.1 or above (for 7.4.x) or 7.2.8 or above (for 7.2.x). Users on versions 7.0 and below should migrate to a fixed release (Fortinet Advisory).