CVE-2024-33504
Last modified
CVE-2024-33504 is a high-severity vulnerability rated 7.7/10 on the CVSS scale. A use of hard-coded cryptographic key to encrypt sensitive data vulnerability [CWE-321] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.9, 7.0 all versions, 6.4 all versions may allow an attacker with JSON API access permissions to decrypt some secrets even if the 'private-data-encryption' setting is enabled.. EPSS estimates a 0.28% chance of exploitation in the next 30 days.
Description
A use of hard-coded cryptographic key to encrypt sensitive data vulnerability [CWE-321] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.9, 7.0 all versions, 6.4 all versions may allow an attacker with JSON API access permissions to decrypt some secrets even if the 'private-data-encryption' setting is enabled.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Fortinet | Fortimanager | >= 6.4.0, < 7.2.10 |
| Fortinet | Fortimanager | >= 7.4.0, < 7.4.6 |
| Fortinet | Fortimanager | >= 7.6.0, < 7.6.2 |
| Fortinet | Fortimanager Cloud | >= 6.4.1, < 7.2.9 |
| Fortinet | Fortimanager Cloud | >= 7.4.1, < 7.4.6 |
References
- https://fortiguard.fortinet.com/psirt/FG-IR-24-094Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-33504?
How severe is CVE-2024-33504?
How do I fix CVE-2024-33504?
Are you affected by CVE-2024-33504?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST