Details of VAR-202507-2630

ID

VAR-202507-2630

CVE

CVE-2024-27779

TITLE

fortinet's FortiIsolator and FortiSandbox Session deadline vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2024-026490

DESCRIPTION

An insufficient session expiration vulnerability [CWE-613] in FortiSandbox FortiSandbox version 4.4.4 and below, version 4.2.6 and below, 4.0 all versions, 3.2 all versions and FortiIsolator version 2.4 and below, 2.3 all versions, 2.2 all versions, 2.1 all versions, 2.0 all versions, 1.2 all versions may allow a remote attacker in possession of an admin session cookie to keep using that admin's session even after the admin user was deleted. fortinet's FortiIsolator and FortiSandbox contains a session expiration vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2024-27779 // JVNDB: JVNDB-2024-026490

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortiisolator	scope:	gte	version:	1.2.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.4.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	4.4.5	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	4.2.7	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	3.2.0	Trust: 1.0
vendor:	fortinet	model:	fortiisolator	scope:	lt	version:	2.4.5	Trust: 1.0
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	4.4.0 that's all 4.4.5	Trust: 0.8
vendor:	フォーティネット	model:	fortiisolator	scope:	-	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	3.2.0 that's all 4.2.7	Trust: 0.8

sources: JVNDB: JVNDB-2024-026490 // NVD: CVE-2024-27779

CVSS

SEVERITY

CVSSV2

CVSSV3

psirt@fortinet.com:	CVE-2024-27779
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2024-026490
value:	MEDIUM
Trust: 0.8

psirt@fortinet.com:	CVE-2024-27779
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	LOW
exploitabilityScore:	1.2
impactScore:	5.5
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2024-026490
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	LOW
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2024-026490 // NVD: CVE-2024-27779

PROBLEMTYPE DATA

problemtype:	CWE-613	Trust: 1.0
problemtype:	Inappropriate session deadline (CWE-613) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-026490 // NVD: CVE-2024-27779

PATCH

title:

FG-IR-24-035

url:

https://fortiguard.fortinet.com/psirt/FG-IR-24-035

Trust: 0.8

sources: JVNDB: JVNDB-2024-026490

EXTERNAL IDS

db:	NVD	id:	CVE-2024-27779	Trust: 2.6
db:	JVNDB	id:	JVNDB-2024-026490	Trust: 0.8

sources: JVNDB: JVNDB-2024-026490 // NVD: CVE-2024-27779

REFERENCES

url:	https://fortiguard.fortinet.com/psirt/fg-ir-24-035	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2024-27779	Trust: 0.8

sources: JVNDB: JVNDB-2024-026490 // NVD: CVE-2024-27779

SOURCES

db:	JVNDB	id:	JVNDB-2024-026490
db:	NVD	id:	CVE-2024-27779

LAST UPDATE DATE

2025-07-29T23:16:51.865000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2024-026490	date:	2025-07-28T07:04:00
db:	NVD	id:	CVE-2024-27779	date:	2025-07-22T17:07:27.987

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2024-026490	date:	2025-07-28T00:00:00
db:	NVD	id:	CVE-2024-27779	date:	2025-07-18T08:15:25.850