Details of VAR-201910-1238

ID

VAR-201910-1238

CVE

CVE-2019-15710

TITLE

Fortinet FortiExtender Operating System Command Injection Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2019-39943 // CNNVD: CNNVD-201910-1570

DESCRIPTION

An OS command injection vulnerability in FortiExtender 4.1.0 to 4.1.1, 4.0.0 and below under CLI admin console may allow unauthorized administrators to run arbitrary system level commands via specially crafted "execute date" commands. FortiExtender Is OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Fortinet FortiExtender is a wireless WAN (Wide Area Network) expander from Fortinet. There are operating system command injection vulnerabilities in Fortinet FortiExtender versions prior to 4.1.2. This vulnerability is caused by external input data constructing operating system executable commands. Network systems or products do not properly filter special characters, commands, etc., which can be exploited by attackers. This vulnerability performs an illegal operating system command

Trust: 2.16

sources: NVD: CVE-2019-15710 // JVNDB: JVNDB-2019-011533 // CNVD: CNVD-2019-39943

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-39943

AFFECTED PRODUCTS

vendor:	fortiguard	model:	fortiextender	scope:	lte	version:	4.1.1	Trust: 1.0
vendor:	fortinet	model:	fortiextender	scope:	lte	version:	4.0.0	Trust: 0.8
vendor:	fortinet	model:	fortiextender	scope:	eq	version:	4.1.0 to 4.1.1	Trust: 0.8
vendor:	fortinet	model:	fortiextender	scope:	lt	version:	4.1.2	Trust: 0.6
vendor:	fortiguard	model:	fortiextender	scope:	eq	version:	4.1.1	Trust: 0.6
vendor:	fortiguard	model:	fortiextender	scope:	eq	version:	-	Trust: 0.6

sources: CNVD: CNVD-2019-39943 // JVNDB: JVNDB-2019-011533 // CNNVD: CNNVD-201910-1570 // NVD: CVE-2019-15710

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-15710
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-15710
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-39943
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201910-1570
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2019-15710
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-39943
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-15710
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-15710
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2019-39943 // JVNDB: JVNDB-2019-011533 // CNNVD: CNNVD-201910-1570 // NVD: CVE-2019-15710

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.8

sources: JVNDB: JVNDB-2019-011533 // NVD: CVE-2019-15710

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-1570

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201910-1570

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-011533

PATCH

title:	FG-IR-19-273	url:	https://fortiguard.com/psirt/FG-IR-19-273	Trust: 0.8
title:	Patch for Fortinet FortiExtender Operating System Command Injection Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/189487	Trust: 0.6
title:	Fortinet FortiExtender Fixes for operating system command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=101438	Trust: 0.6

sources: CNVD: CNVD-2019-39943 // JVNDB: JVNDB-2019-011533 // CNNVD: CNNVD-201910-1570

EXTERNAL IDS

db:	NVD	id:	CVE-2019-15710	Trust: 3.0
db:	AUSCERT	id:	ESB-2019.3985	Trust: 1.2
db:	JVNDB	id:	JVNDB-2019-011533	Trust: 0.8
db:	CNVD	id:	CNVD-2019-39943	Trust: 0.6
db:	CNNVD	id:	CNNVD-201910-1570	Trust: 0.6

sources: CNVD: CNVD-2019-39943 // JVNDB: JVNDB-2019-011533 // CNNVD: CNNVD-201910-1570 // NVD: CVE-2019-15710

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-19-273	Trust: 2.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-15710	Trust: 1.4
url:	https://www.auscert.org.au/bulletins/esb-2019.3985/	Trust: 1.2
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-15710	Trust: 0.8

sources: CNVD: CNVD-2019-39943 // JVNDB: JVNDB-2019-011533 // CNNVD: CNNVD-201910-1570 // NVD: CVE-2019-15710

SOURCES

db:	CNVD	id:	CNVD-2019-39943
db:	JVNDB	id:	JVNDB-2019-011533
db:	CNNVD	id:	CNNVD-201910-1570
db:	NVD	id:	CVE-2019-15710

LAST UPDATE DATE

2024-11-23T22:58:29.675000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-39943	date:	2019-11-11T00:00:00
db:	JVNDB	id:	JVNDB-2019-011533	date:	2019-11-12T00:00:00
db:	CNNVD	id:	CNNVD-201910-1570	date:	2019-11-15T00:00:00
db:	NVD	id:	CVE-2019-15710	date:	2024-11-21T04:29:18.237

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-39943	date:	2019-11-11T00:00:00
db:	JVNDB	id:	JVNDB-2019-011533	date:	2019-11-12T00:00:00
db:	CNNVD	id:	CNNVD-201910-1570	date:	2019-10-29T00:00:00
db:	NVD	id:	CVE-2019-15710	date:	2019-10-31T20:15:11.100