Details of VAR-202202-1709

ID

VAR-202202-1709

CVE

CVE-2021-41018

TITLE

Fortinet FortiWeb In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-004519

DESCRIPTION

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests. Fortinet FortiWeb for, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc., to ensure the security of web applications and protect sensitive database content

Trust: 1.71

sources: NVD: CVE-2021-41018 // JVNDB: JVNDB-2022-004519 // VULHUB: VHN-402291

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortiweb	scope:	lt	version:	6.3.16	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	gte	version:	6.3.0	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	lt	version:	6.2.7	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	lt	version:	6.4.2	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	gte	version:	6.4.0	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	gte	version:	6.2.0	Trust: 1.0
vendor:	フォーティネット	model:	fortiweb	scope:	lte	version:	6.3.15 and earlier	Trust: 0.8
vendor:	フォーティネット	model:	fortiweb	scope:	lte	version:	6.4.1 and earlier	Trust: 0.8
vendor:	フォーティネット	model:	fortiweb	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-004519 // NVD: CVE-2021-41018

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-41018
value:	HIGH
Trust: 1.0
psirt@fortinet.com:	CVE-2021-41018
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-41018
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202202-136
value:	HIGH
Trust: 0.6
VULHUB:	VHN-402291
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-41018
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-402291
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-41018
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2022-004519
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-402291 // JVNDB: JVNDB-2022-004519 // CNNVD: CNNVD-202202-136 // NVD: CVE-2021-41018 // NVD: CVE-2021-41018

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.1
problemtype:	OS Command injection (CWE-78) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-402291 // JVNDB: JVNDB-2022-004519 // NVD: CVE-2021-41018

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202202-136

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202202-136

PATCH

title:	FG-IR-21-166	url:	https://www.fortiguard.com/psirt/FG-IR-21-166	Trust: 0.8
title:	Fortinet FortiWeb Fixes for operating system command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=181532	Trust: 0.6

sources: JVNDB: JVNDB-2022-004519 // CNNVD: CNNVD-202202-136

EXTERNAL IDS

db:	NVD	id:	CVE-2021-41018	Trust: 3.3
db:	JVNDB	id:	JVNDB-2022-004519	Trust: 0.8
db:	CNNVD	id:	CNNVD-202202-136	Trust: 0.7
db:	CNVD	id:	CNVD-2022-09244	Trust: 0.1
db:	VULHUB	id:	VHN-402291	Trust: 0.1

sources: VULHUB: VHN-402291 // JVNDB: JVNDB-2022-004519 // CNNVD: CNNVD-202202-136 // NVD: CVE-2021-41018

REFERENCES

url:	https://fortiguard.com/advisory/fg-ir-21-166	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-41018	Trust: 1.4

sources: VULHUB: VHN-402291 // JVNDB: JVNDB-2022-004519 // CNNVD: CNNVD-202202-136 // NVD: CVE-2021-41018

SOURCES

db:	VULHUB	id:	VHN-402291
db:	JVNDB	id:	JVNDB-2022-004519
db:	CNNVD	id:	CNNVD-202202-136
db:	NVD	id:	CVE-2021-41018

LAST UPDATE DATE

2024-08-14T14:24:57.907000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-402291	date:	2022-02-04T00:00:00
db:	JVNDB	id:	JVNDB-2022-004519	date:	2023-04-14T08:28:00
db:	CNNVD	id:	CNNVD-202202-136	date:	2022-02-14T00:00:00
db:	NVD	id:	CVE-2021-41018	date:	2022-02-04T21:41:50.393

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-402291	date:	2022-02-02T00:00:00
db:	JVNDB	id:	JVNDB-2022-004519	date:	2023-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202202-136	date:	2022-02-02T00:00:00
db:	NVD	id:	CVE-2021-41018	date:	2022-02-02T12:15:08.197