Back

CVE-2024-31489

Sept. 10, 2024, 3:50 p.m.

Awaiting Analysis
CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

Products

FortiClientWindows

  • 7.2.0 - 7.2.2
  • 7.0.0 - 7.0.11

FortiClientLinux

  • 7.2.0
  • 7.0.0 - 7.0.11

FortiClientMac

  • 7.0.0 - 7.0.11
  • 7.2.0 - 7.2.4

Source

psirt@fortinet.com

Tags

CWE-295
psirt@fortinet.com
2024-09-10
CVE-2024-31489

CVE-2024-31489 details

Published : Sept. 10, 2024, 3:15 p.m.
Last Modified : Sept. 10, 2024, 3:50 p.m.

Description

AAn improper certificate validation vulnerability [CWE-295] in FortiClientWindows 7.2.0 through 7.2.2, 7.0.0 through 7.0.11, FortiClientLinux 7.2.0, 7.0.0 through 7.0.11 and FortiClientMac 7.0.0 through 7.0.11, 7.2.0 through 7.2.4 may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the FortiGate and the FortiClient during the ZTNA tunnel creation

CVSS Score

1 2 3 4 5 6.8 7 8 9 10

Weakness

Weakness Name Description
CWE-295 Improper Certificate Validation The product does not validate, or incorrectly validates, a certificate.

CVSS Data

Attack Vector

ADJACENT_NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

6.8

Exploitability Score

1.6

Impact Score

5.2

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References

URL Source
https://fortiguard.fortinet.com/psirt/FG-IR-22-282 psirt@fortinet.com
This website uses the NVD API, but is not approved or certified by it.