Double free with double usage of json_object_put

Summary

A double free vulnerability [CWE-415] in FortiOS may allow a privileged attacker to execute unauthorized code or commands via crafted HTTP or HTTPs requests.

Version Affected Solution
FortiOS 7.0 Not affected Not Applicable
FortiOS 6.4 6.4 all versions Migrate to a fixed release
FortiOS 6.2 6.2 all versions Migrate to a fixed release
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

Acknowledgement

Internally discovered and reported by FortiOS QA team.

Timeline

2024-05-14: Initial publication