{
   uuid: "a9f2cad3-dbfc-4703-9c5f-9af054301f88",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Apache Pinot Improper Neutralization of Special Elements Authentication Bypass Vulnerability",
   description: "CVE ID\tCVE-2024-56325\nCVSS SCORE\t9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\nAFFECTED VENDORS\tApache\nAFFECTED PRODUCTS\tPinot\nVULNERABILITY DETAILS\t\nThis vulnerability allows remote attackers to bypass authentication on affected installations of Apache Pinot. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the AuthenticationFilter class. The issue results from insufficient neutralization of special characters in a URI. An attacker can leverage this vulnerability to bypass authentication on the system.\n\nADDITIONAL DETAILS\t\nFixed in version 1.3.0",
   description_format: "markdown",
   vulnerability: "CVE-2024-56325",
   creation_timestamp: "2025-03-11T05:25:53.938762+00:00",
   timestamp: "2025-03-11T05:25:53.938762+00:00",
   related_vulnerabilities: [
      "CVE-2024-56325",
   ],
   meta: [
      {
         tags: [
            "vulnerability:information=remediation",
         ],
      },
   ],
}

{
   uuid: "6608623d-c8c2-494f-a4a8-41a12a6a7cc0",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "PaloAlto - CVE-2024-3393 PAN-OS: Firewall Denial of Service (DoS) in DNS Security Using a Specially Crafted Packet",
   description: "# CVE-2024-3393 PAN-OS: Firewall Denial of Service (DoS) in DNS Security Using a Specially Crafted Packet\nRef: [https://security.paloaltonetworks.com/CVE-2024-3393](https://security.paloaltonetworks.com/CVE-2024-3393)\n\nA Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.\n\nSee the Solution section for additional fixes to commonly deployed maintenance releases.\n\nDNS Security logging must be enabled for this issue to affect PAN-OS software.\n\nPalo Alto Networks is aware of customers experiencing this denial of service (DoS) when their firewall blocks malicious DNS packets that trigger this issue.\n\nThis issue is fixed in PAN-OS 10.1.14-h8, PAN-OS 10.2.10-h12, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later PAN-OS versions.\n\nNote: PAN-OS 11.0 reached the end of life (EOL) on November 17, 2024, so we do not intend to provide a fix for this release.\n\nPrisma Access customers using DNS Security with affected PAN-OS versions should apply one of the workarounds provided below. We will perform upgrades in two phases for impacted customers on the weekends of January 3rd and January 10th. You can request an expedited Prisma Access upgrade to the latest PAN-OS version by opening a [support case](https://support.paloaltonetworks.com/Support/Index).\n\nIn addition, to provide the most seamless upgrade path for our customers, we are making fixes available for other TAC-preferred and commonly deployed maintenance releases.\n\nRemember to revert the Log Severity settings once the fixes are applied.\n\nUntil we perform an upgrade of your Prisma Access tenant, you can disable DNS Security logging across all NGFWs in your tenant by opening a [support case](https://support.paloaltonetworks.com/Support/Index). If you would like to expedite the upgrade, please make a note of that in the support case.\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.2.2:h2:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.2.2:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.2.1:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.2.1:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.2.0:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.2.0:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.2:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h9:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h8:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h7:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h6:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h5:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h4:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h3:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h2:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.4:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h11:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h10:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h9:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h8:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h7:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h6:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h5:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h4:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h3:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h2:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h15:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h14:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h13:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h12:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h11:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h10:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h9:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h8:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h7:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h6:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h5:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h4:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h3:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h2:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.1:h2:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.1:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.1:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h4:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h3:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h2:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.0:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h10:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h9:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h8:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h7:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h6:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h5:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h4:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h3:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h2:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.10:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h18:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h17:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h16:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h15:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h14:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h13:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h12:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h11:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h10:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h9:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h8:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h7:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h6:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h5:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h4:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h3:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h2:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h18:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h17:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h16:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h15:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h14:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h13:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h12:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h11:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h10:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h9:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h8:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h7:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h6:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h5:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h4:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h3:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h2:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h6:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h5:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h4:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h3:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h2:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.1.14:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.1:-:\\*:\\*:\\*:\\*:\\*:\\*",
   description_format: "markdown",
   vulnerability: "CVE-2024-3393",
   creation_timestamp: "2024-12-27T08:59:02.439757+00:00",
   timestamp: "2024-12-27T08:59:47.544807+00:00",
   related_vulnerabilities: [
      "CVE-2024-3393",
   ],
   meta: [
      {
         tags: [
            "vulnerability:information=remediation",
         ],
      },
   ],
}

{
   uuid: "a459b3c2-e2f0-467e-8fe5-e7c2b47a9fe3",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "CVE-2023-50164 - Rapid7 analysis",
   description: "Reference - [https://attackerkb.com/topics/pe3CCtOE81/cve-2023-50164/rapid7-analysis](https://attackerkb.com/topics/pe3CCtOE81/cve-2023-50164/rapid7-analysis)\n\n[Apache Struts](https://struts.apache.org/) is a popular Java web application framework. On December 7, 2023 Apache [published an advisory](https://www.openwall.com/lists/oss-security/2023/12/07/1) for [CVE-2023-50164](https://nvd.nist.gov/vuln/detail/CVE-2023-50164), a Struts parameter pollution vulnerability that potentially leads to arbitrary file uploads. An attacker with the ability to perform arbitrary file uploads is very likely to be able to leverage this and achieve remote code execution. According [to the vendor](https://cwiki.apache.org/confluence/display/WW/S2-066), the following versions of Struts are affected:\n\n*   Struts 2.0.0 – Struts 2.3.37 (End of Life)  \n    \n*   Struts 2.5.0 – Struts 2.5.32  \n    \n*   Struts 6.0.0 – Struts 6.3.0  \n    \n\nSeveral technical analyses on the root cause of the vulnerability have already been done ([here](https://trganda.github.io/notes/security/vulnerabilities/apache-struts/Apache-Struts-Remote-Code-Execution-Vulnerability-\\(-S2-066-CVE-2023-50164\\)), [here](https://xz.aliyun.com/t/13172), and [here](https://github.com/jakabakos/CVE-2023-50164-Apache-Struts-RCE)). Notably, all current public analysis of the vulnerability demonstrates exploitation on a custom made demo web application.\n\n**There are currently no known production web applications that are exploitable**, although this is likely to change as the vulnerability comes under more scrutiny from researchers, and given the popularity of the Struts framework in enterprise web applications. Several security firms have reported exploitation ([here](https://twitter.com/akamai_research/status/1735049812746137929) and [here](https://twitter.com/shadowserver/status/1734919288257974380)), but as of December 15, 2023, it is unclear if the activity being reported actually refers to successful exploitation (i.e., code execution) against one or more known vulnerable targets, or if this is merely highlighting exploit attempts with the existing public PoCs (all of which target a demo application) being sprayed opportunistically at indiscriminate targets.\n\nHowever, exploitation of this vulnerability will be target-specific based on the differing target action’s endpoints, the naming convention of the expected uploaded file name, and any other target-specific restrictions that may need to be overcome.\n\n# Remediation\n\nVendors who develop applications that use Apache Struts should upgrade to Struts 2.5.33, Struts 6.3.0.2, or greater to remediate CVE-2023-50164.",
   description_format: "markdown",
   vulnerability: "CVE-2023-50164",
   creation_timestamp: "2024-12-19T05:35:41.724032+00:00",
   timestamp: "2024-12-19T05:38:18.769241+00:00",
   related_vulnerabilities: [
      "CVE-2023-50164",
   ],
   meta: [
      {
         tags: [
            "vulnerability:information=remediation",
         ],
      },
      {
         ref: " https://attackerkb.com/topics/pe3CCtOE81/cve-2023-50164/rapid7-analysis",
      },
   ],
}

{
   uuid: "9baa9351-dc32-4f7d-b01d-eeb3a51e50be",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "(Vendor information) Missing authentication in fgfmsd",
   description: "A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.\n\nReports have shown this vulnerability to be exploited in the wild.\n\nPSIRT | FortiGuard Labs\n9–11 minutes\nSummary\n\nA missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.\n\nReports have shown this vulnerability to be exploited in the wild.\nVersion \tAffected \tSolution\nFortiManager 7.6 \t7.6.0 \tUpgrade to 7.6.1 or above\nFortiManager 7.4 \t7.4.0 through 7.4.4 \tUpgrade to 7.4.5 or above\nFortiManager 7.2 \t7.2.0 through 7.2.7 \tUpgrade to 7.2.8 or above\nFortiManager 7.0 \t7.0.0 through 7.0.12 \tUpgrade to 7.0.13 or above\nFortiManager 6.4 \t6.4.0 through 6.4.14 \tUpgrade to 6.4.15 or above\nFortiManager 6.2 \t6.2.0 through 6.2.12 \tUpgrade to 6.2.13 or above\nFortiManager Cloud 7.6 \tNot affected \tNot Applicable\nFortiManager Cloud 7.4 \t7.4.1 through 7.4.4 \tUpgrade to 7.4.5 or above\nFortiManager Cloud 7.2 \t7.2.1 through 7.2.7 \tUpgrade to 7.2.8 or above\nFortiManager Cloud 7.0 \t7.0.1 through 7.0.12 \tUpgrade to 7.0.13 or above\nFortiManager Cloud 6.4 \t6.4 all versions \tMigrate to a fixed release\n\nOld FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E with the following feature enabled (FortiManager on FortiAnalyzer):\n\nconfig system global\nset fmg-status enable\nend\n\nand at least one interface with fgfm service enabled are also impacted by this vulnerability.\n\nWorkarounds\n\nUpgrade to a fixed version or use one of the following workarounds, depending on the version you're running:\n\n1- For FortiManager versions 7.0.12 or above, 7.2.5 or above, 7.4.3 or above (but not 7.6.0), prevent unknown devices to attempt to register:\n\nconfig system global\n(global)# set fgfm-deny-unknown enable\n(global)# end\n\nWarning: With this setting enabled, be aware that if a FortiGate's SN is not in the device list, FortiManager will prevent it from connecting to register upon being deployed, even when a model device with PSK is matching.\n\nIf FAZ features are enabled on FMG, block the addition of unauthorized devices via syslog:\n\nconf system global\nset detect-unregistered-log-device disable\nend\n\nIf FortiGate Updates or Web Filtering are enabled, block the addition of unauthorized devices via FDS:\n\nconf fmupdate fds-setting\nset unreg-dev-option ignore\nend\n\n2- Alternatively, for FortiManager versions 7.2.0 and above, you may add local-in policies to whitelist the IP addresses of FortiGates that are allowed to connect.\n\nExample:\n\nconfig system local-in-policy\nedit 1\nset action accept\nset dport 541\nset src\nnext\nedit 2\nset dport 541\nnext\nend\n\n3- For 7.2.2 and above, 7.4.0 and above, 7.6.0 and above it is also possible to use a custom certificate which will mitigate the issue:\n\nconfig system global\nset fgfm-ca-cert\nset fgfm-cert-exclusive enable\n\nend\n\nAnd install that certificate on FortiGates. Only this CA will be valid, this can act as a workaround, providing the attacker cannot obtain a certificate signed by this CA via an alternate channel.\n\nNB: For FortiManager versions 6.2, 6.4, and 7.0.11 and below, please upgrade to one of the versions above and apply the above workarounds.\n\nIndicators of Compromise\n\nThe following are possible IoCs:\n\nLog entries\n\ntype=event,subtype=dvm,pri=information,desc=\"Device,manager,generic,information,log\",user=\"device,...\",msg=\"Unregistered device localhost add succeeded\" device=\"localhost\" adom=\"FortiManager\" session_id=0 operation=\"Add device\" performed_on=\"localhost\" changes=\"Unregistered device localhost add succeeded\"\n\ntype=event,subtype=dvm,pri=notice,desc=\"Device,Manager,dvm,log,at,notice,level\",user=\"System\",userfrom=\"\",msg=\"\" adom=\"root\" session_id=0 operation=\"Modify device\" performed_on=\"localhost\" changes=\"Edited device settings (SN FMG-VMTM23017412)\"\n\nIP addresses\n\n45.32.41.202\n104.238.141.143\n158.247.199.37\n45.32.63.2\n195.85.114.78 (Not observed by Fortinet, reported by Mandiant here)\n\nSerial Number\n\nFMG-VMTM23017412\n\nFiles\n\n/tmp/.tm\n/var/tmp/.tm\n\nNote that file IoCs may not appear in all cases.\n\nRisk\n\nThe identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices.\n\nAt this stage, we have not received reports of any low-level system installations of malware or backdoors on these compromised FortiManager systems. To the best of our knowledge, there have been no indicators of modified databases, or connections and modifications to the managed devices.\n\nRecovery\n\nA FortiManager configuration backup file would not contain any OS or system-level file\nchanges, as these files are not included in the archive. Therefore, taking a backup from a\ncompromised system and then restoring it on a fresh or re-initialized one, would not carry\nover and re-introduce such low-level changes. When taking this approach, be aware that the\ndata may have been tampered with. Careful review should be done to confirm configuration\naccuracy.\n\nThe methods below assume that the managed devices (FortiGates or other) contained in the\nbackup have not been tampered with and that their configurations are reliable. Event log\nactivity verification of the FortiGates should be reviewed starting from the date of the\nidentified IoCs, to determine if there were any unauthorized access or configuration changes.\nSince data may have been exfiltrated from the FortiManager database, we recommend that\nthe credentials, such as passwords and user-sensitive data, of all managed devices, be\nurgently changed.\n\nFor VM installations, recovery can be facilitated by keeping a copy of the compromised\nFortiManager in an isolated network with no Internet connection, as well as configuring it in\noffline mode and closed-network mode operation (see settings below). This system can be\nused to compare with the new one which will be set up in parallel.\n\nconfig system admin setting\nset offline_mode enable\nend\nconfig fmupdate publicnetwork\nset status disable\nend\n\nRecovery Methods\n\nOption 1 – Recommended Recovery Action\n\nThis method ensures that the FortiManager configuration was not tampered with. It will\nrequire database rebuilding or device configuration resynchronizations at the Device and\nPolicy Package ADOM levels.\n\n• Installing a fresh FortiManager VM or re-initializing a hardware model and\nadding/discovering the devices.\n• Installing a fresh FortiManager VM or re-initializing a hardware model, and restoring a\nbackup taken before the IoC detection.\n\nOption 2 – Alternative Recovery Action\n\nThis method provides a quick recovery, where partial or no database\nrebuilding/resynchronization is required. It requires that you manually verify accuracy of the\ncurrently running FortiManager configuration\n\n• Installing a fresh FortiManager VM or re-initializing a hardware model and\nrestoring/copying components or configuration sections from a compromised\nFortiManager.\n• Installing a fresh FortiManager VM or re-initializing a hardware model, and restoring a\nbackup from a compromised FortiManager.\n\nFor more info on data configuration and synchronization procedures: https://community.fortinet.com/t5/FortiManager/Technical-Tip-FortiManager-data-configuration-and/ta-p/351748\n\n\n\n- [https://www.fortiguard.com/psirt/FG-IR-24-423](https://www.fortiguard.com/psirt/FG-IR-24-423)",
   description_format: "markdown",
   vulnerability: "CVE-2024-47575",
   creation_timestamp: "2024-10-25T07:11:40.672278+00:00",
   timestamp: "2024-10-25T07:11:40.672278+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         tags: [
            "vulnerability:information=remediation",
         ],
      },
   ],
}

{
   uuid: "a3186180-3808-47e1-8347-071389b4f994",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Patches released previously did not completely mitigate the vulnerability",
   description: "VMware has determined that the vCenter patches released previously did not completely mitigate the vulnerability.\n\nhttps://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968",
   description_format: "markdown",
   vulnerability: "CVE-2024-38812",
   creation_timestamp: "2024-10-22T13:20:32.036514+00:00",
   timestamp: "2024-10-22T13:20:32.036514+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         tags: [
            "vulnerability:information=remediation",
         ],
      },
      {
         resources: [
            "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968",
         ],
      },
   ],
}

{
   uuid: "f9ef410e-5884-4a57-a0d5-a3a16d9ff8fa",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Availability of a patch",
   description: "The company released [a patch](https://solarwindscore.my.site.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2?language=en_US) in Web Help Desk version 12.8.3 HF2, which addresses this vulnerability. Users are strongly advised to update their software to this version or later to protect against this flaw.",
   description_format: "markdown",
   vulnerability: "CVE-2024-28987",
   creation_timestamp: "2024-10-18T22:25:32.495082+00:00",
   timestamp: "2024-10-18T22:26:03.012172+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         tags: [
            "vulnerability:information=remediation",
         ],
         resources: [
            "https://solarwindscore.my.site.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2",
         ],
      },
   ],
}

{
   uuid: "af885327-bc8d-4e07-9ea5-a86cda87beb0",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "More details from the vendor",
   description: "-  GitLab Critical Patch Release: 17.4.2, 17.3.5, 17.2.9  - [https://about.gitlab.com/releases/2024/10/09/patch-release-gitlab-17-4-2-released/](https://about.gitlab.com/releases/2024/10/09/patch-release-gitlab-17-4-2-released/)\n\nRun pipelines on arbitrary branches\n\nAn issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, 9.6). It is now mitigated in the latest release and is assigned CVE-2024-9164.",
   description_format: "markdown",
   vulnerability: "cve-2024-9164",
   creation_timestamp: "2024-10-11T12:22:18.480655+00:00",
   timestamp: "2024-10-11T12:22:18.480655+00:00",
   related_vulnerabilities: [
      "CVE-2024-9164",
   ],
   meta: [
      {
         tags: [
            "vulnerability:information=remediation",
         ],
      },
   ],
}

{
   uuid: "80e30504-7622-448d-a12f-9f2454207c6d",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: " MISP 2.4.197 released with many bugs fixed, a security fix and improvements.",
   description: "- [MISP 2.4.197 released with many bugs fixed, a security fix and improvements.](https://www.misp-project.org/2024/09/02/MISP.2.4.197.released.html/) The MISP release 2.4.197 ",
   description_format: "markdown",
   vulnerability: "cve-2024-45509",
   creation_timestamp: "2024-09-05T12:30:37.480867+00:00",
   timestamp: "2024-09-09T07:00:39.566529+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         tags: [
            "vulnerability:information=remediation",
         ],
      },
   ],
}