CVE-2024-54021

Published: Jan 14, 2025Modified: Aug 8, 2025

5.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

An Improper Neutralization of CRLF Sequences in HTTP Headers ('http response splitting') vulnerability [CWE-113] in Fortinet FortiOS 7.2.0 through 7.6.0, FortiProxy 7.2.0 through 7.4.5 may allow a remote unauthenticated attacker to bypass the file filter via crafted HTTP headers.

Affected (5)

Products: Fortinet: Fortios, Fortiproxy

Fortinet

2 products

Fortios

Fortiproxy

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortios	From 7.2.0 to 7.2.9
Fortinet Fortios	From 7.4.0 to 7.4.5
Fortinet Fortios	Version 7.6.0
Fortinet Fortiproxy	From 7.2.0 to 7.2.12
Fortinet Fortiproxy	From 7.4.0 to 7.4.6

Related CWEs

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

References (1)

https://fortiguard.fortinet.com/psirt/FG-IR-24-282

Source: psirt@fortinet.com

Vendor Advisory

Timeline

No history available yet.