CVE-2024-54021

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-54021
An Improper Neutralization of CRLF Sequences in HTTP Headers ('http response splitting') vulnerability [CWE-113] in Fortinet FortiOS 7.2.0 through 7.6.0, FortiProxy 7.2.0 through 7.4.5 may allow a remote unauthenticated attacker to bypass the file filter via crafted HTTP headers.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://fortiguard.fortinet.com/psirt/FG-IR-24-282 Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
cpe:2.3:o:fortinet:fortios:7.6.0:*:*:*:*:*:*:*
History

08 Aug 2025, 16:03

Type Values Removed Values Added
CWE CWE-436

06 Aug 2025, 18:15

Type Values Removed Values Added
Summary (en) An improper neutralization of crlf sequences in http headers ('http response splitting') in Fortinet FortiOS 7.2.0 through 7.6.0, FortiProxy 7.2.0 through 7.4.5 allows attacker to execute unauthorized code or commands via crafted HTTP header. (en) An Improper Neutralization of CRLF Sequences in HTTP Headers ('http response splitting') vulnerability [CWE-113] in Fortinet FortiOS 7.2.0 through 7.6.0, FortiProxy 7.2.0 through 7.4.5 may allow a remote unauthenticated attacker to bypass the file filter via crafted HTTP headers.

03 Feb 2025, 22:04

Type Values Removed Values Added
Summary
  • (es) Una neutralización incorrecta de las secuencias crlf en los encabezados http ("división de respuesta http") en Fortinet FortiOS 7.2.0 a 7.6.0, FortiProxy 7.2.0 a 7.4.5 permite a un atacante ejecutar código o comandos no autorizados a través del encabezado HTTP manipulado.
First Time Fortinet fortiproxy
Fortinet
Fortinet fortios
References () https://fortiguard.fortinet.com/psirt/FG-IR-24-282 - () https://fortiguard.fortinet.com/psirt/FG-IR-24-282 - Vendor Advisory
CPE cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
cpe:2.3:o:fortinet:fortios:7.6.0:*:*:*:*:*:*:*
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
CWE CWE-436

14 Jan 2025, 14:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-01-14 14:15

Updated : 2025-08-08 16:03

NVD link : CVE-2024-54021

Mitre link : CVE-2024-54021

CVE.ORG link : CVE-2024-54021

JSON object : View

Products Affected

fortinet

  • fortios
  • fortiproxy
CWE
CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')