CVE-2024-35274: 
Fortinet FortiManager vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2024-35274) was discovered in multiple Fortinet products, including FortiAnalyzer versions below 7.4.2, FortiManager versions below 7.4.2, and FortiAnalyzer-BigData version 7.4.0 and below 7.2.7. The vulnerability was internally discovered and reported by Theo Leleu of the Fortinet Product Security team on November 12, 2024 (Fortinet Advisory).

The vulnerability is classified as an improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability, identified as CWE-22. It has been assigned a CVSS v3.1 score of 2.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N, indicating local access requirements and high privileges needed for exploitation (NVD).

The vulnerability allows a privileged attacker with read-write administrative privileges to create non-arbitrary files on a chosen directory through crafted CLI requests. The impact is considered low due to the high privilege requirements and limited scope of the vulnerability (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users of FortiAnalyzer 7.4.0-7.4.2 should upgrade to version 7.4.3 or above. FortiManager users running versions 7.4.0-7.4.2 should also upgrade to version 7.4.3 or above. FortiAnalyzer-BigData 7.4.0 users should upgrade to version 7.4.1 or above. Users of earlier versions (7.2 and below) are advised to migrate to a fixed release (Fortinet Advisory).