Details of VAR-202108-0731

ID

VAR-202108-0731

CVE

CVE-2021-26097

TITLE

FortiSandbox In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-011886

DESCRIPTION

An improper neutralization of special elements used in an OS Command vulnerability in FortiSandbox 3.2.0 through 3.2.2, 3.1.0 through 3.1.4, and 3.0.0 through 3.0.6 may allow an authenticated attacker with access to the web GUI to execute unauthorized code or commands via specifically crafted HTTP requests. FortiSandbox for, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Fortinet FortiSandbox is an APT (advanced persistent threat) protection device from Fortinet. The appliance offers features such as dual sandboxing technology, dynamic threat intelligence system, real-time dashboard and reporting. An operating system command injection vulnerability exists in Fortinet FortiSandbox due to improper input validation. The vulnerability allows a remote user to execute arbitrary shell commands on the target system

Trust: 2.34

sources: NVD: CVE-2021-26097 // JVNDB: JVNDB-2021-011886 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-385061 // VULMON: CVE-2021-26097

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	3.2.3	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	3.1.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	3.0.7	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	3.1.5	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	3.2.0	Trust: 1.0
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	3.0.0 to 3.0.6	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	3.1.0 to 3.1.4	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	3.2.0 to 3.2.2	Trust: 0.8

sources: JVNDB: JVNDB-2021-011886 // NVD: CVE-2021-26097

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-26097
value:	HIGH
Trust: 1.0
psirt@fortinet.com:	CVE-2021-26097
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-26097
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202108-339
value:	HIGH
Trust: 0.6
VULHUB:	VHN-385061
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-26097
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-26097
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-385061
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-26097
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2021-011886
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-385061 // VULMON: CVE-2021-26097 // JVNDB: JVNDB-2021-011886 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-339 // NVD: CVE-2021-26097 // NVD: CVE-2021-26097

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.1
problemtype:	OS Command injection (CWE-78) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-385061 // JVNDB: JVNDB-2021-011886 // NVD: CVE-2021-26097

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-339

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	FG-IR-20-198	url:	https://www.fortiguard.com/psirt/FG-IR-20-198	Trust: 0.8
title:	Fortinet FortiSandbox Fixes for operating system command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=158589	Trust: 0.6

sources: JVNDB: JVNDB-2021-011886 // CNNVD: CNNVD-202108-339

EXTERNAL IDS

db:	NVD	id:	CVE-2021-26097	Trust: 3.4
db:	JVNDB	id:	JVNDB-2021-011886	Trust: 0.8
db:	CNNVD	id:	CNNVD-202108-339	Trust: 0.7
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021080315	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2616	Trust: 0.6
db:	VULHUB	id:	VHN-385061	Trust: 0.1
db:	VULMON	id:	CVE-2021-26097	Trust: 0.1

sources: VULHUB: VHN-385061 // VULMON: CVE-2021-26097 // JVNDB: JVNDB-2021-011886 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-339 // NVD: CVE-2021-26097

REFERENCES

url:	https://fortiguard.com/advisory/fg-ir-20-198	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-26097	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021080315	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2616	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/78.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-385061 // VULMON: CVE-2021-26097 // JVNDB: JVNDB-2021-011886 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-339 // NVD: CVE-2021-26097

SOURCES

db:	VULHUB	id:	VHN-385061
db:	VULMON	id:	CVE-2021-26097
db:	JVNDB	id:	JVNDB-2021-011886
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202108-339
db:	NVD	id:	CVE-2021-26097

LAST UPDATE DATE

2024-08-14T13:04:37.784000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-385061	date:	2021-08-10T00:00:00
db:	VULMON	id:	CVE-2021-26097	date:	2021-08-10T00:00:00
db:	JVNDB	id:	JVNDB-2021-011886	date:	2022-08-16T01:44:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202108-339	date:	2021-08-11T00:00:00
db:	NVD	id:	CVE-2021-26097	date:	2021-08-10T23:37:41.523

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-385061	date:	2021-08-04T00:00:00
db:	VULMON	id:	CVE-2021-26097	date:	2021-08-04T00:00:00
db:	JVNDB	id:	JVNDB-2021-011886	date:	2022-08-16T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202108-339	date:	2021-08-03T00:00:00
db:	NVD	id:	CVE-2021-26097	date:	2021-08-04T16:15:08.287