ID

VAR-202112-0339


CVE

CVE-2021-36180


TITLE

FortiWeb  in the management interface  OS  Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-016011

DESCRIPTION

Multiple improper neutralization of special elements used in a command vulnerabilities [CWE-77] in FortiWeb management interface 6.4.1 and below, 6.3.15 and below, 6.2.5 and below may allow an authenticated attacker to execute unauthorized code or commands via crafted parameters of HTTP requests. FortiWeb The management interface includes OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc., to ensure the security of web applications and protect sensitive database content

Trust: 1.71

sources: NVD: CVE-2021-36180 // JVNDB: JVNDB-2021-016011 // VULHUB: VHN-398097

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiwebscope:eqversion:5.9.1

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:lteversion:6.0.7

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:eqversion:5.9.0

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:gteversion:6.0.0

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:eqversion:6.4.1

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:lteversion:5.8.6

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:lteversion:6.3.15

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:lteversion:6.2.5

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:gteversion:6.3.0

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:eqversion:6.1.1

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:eqversion:6.4.0

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:gteversion:5.8.0

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:eqversion:6.1.0

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:gteversion:6.2.0

Trust: 1.0

vendor:フォーティネットmodel:fortiwebscope:eqversion: -

Trust: 0.8

vendor:フォーティネットmodel:fortiwebscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-016011 // NVD: CVE-2021-36180

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-36180
value: HIGH

Trust: 1.0

psirt@fortinet.com: CVE-2021-36180
value: HIGH

Trust: 1.0

NVD: CVE-2021-36180
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202112-635
value: HIGH

Trust: 0.6

VULHUB: VHN-398097
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-36180
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-398097
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-36180
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

psirt@fortinet.com: CVE-2021-36180
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.2
version: 3.1

Trust: 1.0

NVD: CVE-2021-36180
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-398097 // JVNDB: JVNDB-2021-016011 // CNNVD: CNNVD-202112-635 // NVD: CVE-2021-36180 // NVD: CVE-2021-36180

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.1

problemtype:OS Command injection (CWE-78) [NVD evaluation ]

Trust: 0.8

problemtype:CWE-77

Trust: 0.1

sources: VULHUB: VHN-398097 // JVNDB: JVNDB-2021-016011 // NVD: CVE-2021-36180

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202112-635

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202112-635

PATCH

title:FG-IR-21-120url:https://www.fortiguard.com/psirt/FG-IR-21-120

Trust: 0.8

title:Fortinet FortiWeb Fixes for command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=173884

Trust: 0.6

sources: JVNDB: JVNDB-2021-016011 // CNNVD: CNNVD-202112-635

EXTERNAL IDS

db:NVDid:CVE-2021-36180

Trust: 3.3

db:JVNDBid:JVNDB-2021-016011

Trust: 0.8

db:CNNVDid:CNNVD-202112-635

Trust: 0.6

db:CNVDid:CNVD-2021-101131

Trust: 0.1

db:VULHUBid:VHN-398097

Trust: 0.1

sources: VULHUB: VHN-398097 // JVNDB: JVNDB-2021-016011 // CNNVD: CNNVD-202112-635 // NVD: CVE-2021-36180

REFERENCES

url:https://fortiguard.com/advisory/fg-ir-21-120

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-36180

Trust: 1.4

sources: VULHUB: VHN-398097 // JVNDB: JVNDB-2021-016011 // CNNVD: CNNVD-202112-635 // NVD: CVE-2021-36180

SOURCES

db:VULHUBid:VHN-398097
db:JVNDBid:JVNDB-2021-016011
db:CNNVDid:CNNVD-202112-635
db:NVDid:CVE-2021-36180

LAST UPDATE DATE

2024-08-14T14:44:12.867000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-398097date:2022-07-12T00:00:00
db:JVNDBid:JVNDB-2021-016011date:2022-12-05T06:24:00
db:CNNVDid:CNNVD-202112-635date:2022-07-14T00:00:00
db:NVDid:CVE-2021-36180date:2022-07-12T17:42:04.277

SOURCES RELEASE DATE

db:VULHUBid:VHN-398097date:2021-12-08T00:00:00
db:JVNDBid:JVNDB-2021-016011date:2022-12-05T00:00:00
db:CNNVDid:CNNVD-202112-635date:2021-12-08T00:00:00
db:NVDid:CVE-2021-36180date:2021-12-08T11:15:11.793