ID

VAR-202108-2248


CVE

CVE-2021-26104


TITLE

plural  Fortinet  In the product  OS  Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-019573

DESCRIPTION

Multiple OS command injection (CWE-78) vulnerabilities in the command line interface of FortiManager 6.2.7 and below, 6.4.5 and below and all versions of 6.2.x, 6.0.x and 5.6.x, FortiAnalyzer 6.2.7 and below, 6.4.5 and below and all versions of 6.2.x, 6.0.x and 5.6.x, and FortiPortal 5.2.5 and below, 5.3.5 and below and 6.0.4 and below may allow a local authenticated and unprivileged user to execute arbitrary shell commands as root via specifically crafted CLI command parameters. FortiManager , FortiAnalyzer , FortiPortal for, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Fortinet FortiManager and others are products of Fortinet. Fortinet FortiManager is a centralized network security management platform. Fortinet FortiAnalyzer is a centralized network security reporting solution. Fortinet FortiPortal is an advanced, feature-rich managed security analysis and management support tool for the FortiGate, FortiWiFi and FortiAP product lines, available as a virtual machine for MSPs

Trust: 2.25

sources: NVD: CVE-2021-26104 // JVNDB: JVNDB-2021-019573 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-385068

AFFECTED PRODUCTS

vendor:fortinetmodel:fortianalyzerscope:gteversion:5.6.0

Trust: 1.0

vendor:fortinetmodel:fortiportalscope:ltversion:5.3.6

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:ltversion:6.4.6

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:gteversion:6.4.0

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:ltversion:6.0.11

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:ltversion:6.2.8

Trust: 1.0

vendor:fortinetmodel:fortiportalscope:ltversion:5.2.6

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:ltversion:6.4.6

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:gteversion:5.6.0

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:ltversion:6.0.11

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:gteversion:6.4.0

Trust: 1.0

vendor:fortinetmodel:fortiportalscope:ltversion:6.0.5

Trust: 1.0

vendor:fortinetmodel:fortiportalscope:gteversion:5.3.0

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:gteversion:6.2.0

Trust: 1.0

vendor:fortinetmodel:fortiportalscope:gteversion:6.0.0

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:ltversion:6.2.8

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:gteversion:6.2.0

Trust: 1.0

vendor:フォーティネットmodel:fortianalyzerscope: - version: -

Trust: 0.8

vendor:フォーティネットmodel:fortimanagerscope: - version: -

Trust: 0.8

vendor:フォーティネットmodel:fortiportalscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-019573 // NVD: CVE-2021-26104

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-26104
value: HIGH

Trust: 1.0

psirt@fortinet.com: CVE-2021-26104
value: HIGH

Trust: 1.0

NVD: CVE-2021-26104
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202108-319
value: HIGH

Trust: 0.6

VULHUB: VHN-385068
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2021-26104
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-385068
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-26104
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 2.0

OTHER: JVNDB-2021-019573
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-385068 // JVNDB: JVNDB-2021-019573 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-319 // NVD: CVE-2021-26104 // NVD: CVE-2021-26104

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.1

problemtype:OS Command injection (CWE-78) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-385068 // JVNDB: JVNDB-2021-019573 // NVD: CVE-2021-26104

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202108-319

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:FG-IR-21-037url:https://www.fortiguard.com/psirt/FG-IR-21-037

Trust: 0.8

title:Fortinet Repair measures for operating system command injection vulnerabilities in many productsurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=158569

Trust: 0.6

sources: JVNDB: JVNDB-2021-019573 // CNNVD: CNNVD-202108-319

EXTERNAL IDS

db:NVDid:CVE-2021-26104

Trust: 3.3

db:JVNDBid:JVNDB-2021-019573

Trust: 0.8

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:CS-HELPid:SB2021080319

Trust: 0.6

db:AUSCERTid:ESB-2021.2617

Trust: 0.6

db:CNNVDid:CNNVD-202108-319

Trust: 0.6

db:CNVDid:CNVD-2022-47985

Trust: 0.1

db:VULHUBid:VHN-385068

Trust: 0.1

sources: VULHUB: VHN-385068 // JVNDB: JVNDB-2021-019573 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-319 // NVD: CVE-2021-26104

REFERENCES

url:https://fortiguard.com/advisory/fg-ir-21-037

Trust: 1.7

url:https://github.com/orangecertcc/security-research/security/advisories/ghsa-f73m-fvj3-m2pm

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-26104

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021080319

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2021-26104/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.2617

Trust: 0.6

url:https://vigilance.fr/vulnerability/fortianalyzer-fortimanager-code-execution-via-os-command-injection-36038

Trust: 0.6

sources: VULHUB: VHN-385068 // JVNDB: JVNDB-2021-019573 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-319 // NVD: CVE-2021-26104

SOURCES

db:VULHUBid:VHN-385068
db:JVNDBid:JVNDB-2021-019573
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202108-319
db:NVDid:CVE-2021-26104

LAST UPDATE DATE

2024-08-14T12:36:16.074000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-385068date:2022-07-28T00:00:00
db:JVNDBid:JVNDB-2021-019573date:2023-08-04T03:14:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202108-319date:2022-08-10T00:00:00
db:NVDid:CVE-2021-26104date:2022-07-28T18:00:26.863

SOURCES RELEASE DATE

db:VULHUBid:VHN-385068date:2022-04-06T00:00:00
db:JVNDBid:JVNDB-2021-019573date:2023-08-04T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202108-319date:2021-08-03T00:00:00
db:NVDid:CVE-2021-26104date:2022-04-06T16:15:07.863