Details of VAR-202202-1739

ID

VAR-202202-1739

CVE

CVE-2021-43073

TITLE

Fortinet FortiWeb In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-004769

DESCRIPTION

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests. Fortinet FortiWeb for, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet FortiWeb is a web application layer firewall from Fortinet. It can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc., to ensure the security of web applications and protect sensitive database content. No detailed vulnerability details are currently provided

Trust: 2.25

sources: NVD: CVE-2021-43073 // JVNDB: JVNDB-2022-004769 // CNVD: CNVD-2022-09243 // VULHUB: VHN-404123

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-09243

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortiweb	scope:	lt	version:	6.4.2	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	gte	version:	6.3.0	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	lt	version:	6.2.7	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	gte	version:	6.4.0	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	gte	version:	5.8.0	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	lt	version:	6.3.17	Trust: 1.0
vendor:	フォーティネット	model:	fortiweb	scope:	-	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortiweb	scope:	eq	version:	-	Trust: 0.8
vendor:	fortinet	model:	fortiweb	scope:	gte	version:	6.4.0,<6.4.2	Trust: 0.6
vendor:	fortinet	model:	fortiweb	scope:	gte	version:	5.8.0,<6.2.7	Trust: 0.6
vendor:	fortinet	model:	fortiweb	scope:	gte	version:	6.3.0,<6.3.17	Trust: 0.6

sources: CNVD: CNVD-2022-09243 // JVNDB: JVNDB-2022-004769 // NVD: CVE-2021-43073

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-43073
value:	HIGH
Trust: 1.0
psirt@fortinet.com:	CVE-2021-43073
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-43073
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2022-09243
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202202-129
value:	HIGH
Trust: 0.6
VULHUB:	VHN-404123
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-43073
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2022-09243
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-404123
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-43073
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2022-004769
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-09243 // VULHUB: VHN-404123 // JVNDB: JVNDB-2022-004769 // CNNVD: CNNVD-202202-129 // NVD: CVE-2021-43073 // NVD: CVE-2021-43073

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.1
problemtype:	OS Command injection (CWE-78) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-404123 // JVNDB: JVNDB-2022-004769 // NVD: CVE-2021-43073

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202202-129

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202202-129

PATCH

title:	Top Page	url:	https://www.fortiguard.com/	Trust: 0.8
title:	Patch for Fortinet FortiWeb Operating System Command Injection Vulnerability (CNVD-2022-09243)	url:	https://www.cnvd.org.cn/patchInfo/show/318551	Trust: 0.6
title:	Fortinet FortiWeb Fixes for operating system command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=184454	Trust: 0.6

sources: CNVD: CNVD-2022-09243 // JVNDB: JVNDB-2022-004769 // CNNVD: CNNVD-202202-129

EXTERNAL IDS

db:	NVD	id:	CVE-2021-43073	Trust: 3.9
db:	JVNDB	id:	JVNDB-2022-004769	Trust: 0.8
db:	CNVD	id:	CNVD-2022-09243	Trust: 0.7
db:	CNNVD	id:	CNNVD-202202-129	Trust: 0.7
db:	VULHUB	id:	VHN-404123	Trust: 0.1

sources: CNVD: CNVD-2022-09243 // VULHUB: VHN-404123 // JVNDB: JVNDB-2022-004769 // CNNVD: CNNVD-202202-129 // NVD: CVE-2021-43073

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2021-43073	Trust: 2.0
url:	https://fortiguard.com/advisory/fg-ir-21-180	Trust: 1.7

sources: CNVD: CNVD-2022-09243 // VULHUB: VHN-404123 // JVNDB: JVNDB-2022-004769 // CNNVD: CNNVD-202202-129 // NVD: CVE-2021-43073

SOURCES

db:	CNVD	id:	CNVD-2022-09243
db:	VULHUB	id:	VHN-404123
db:	JVNDB	id:	JVNDB-2022-004769
db:	CNNVD	id:	CNNVD-202202-129
db:	NVD	id:	CVE-2021-43073

LAST UPDATE DATE

2024-08-14T14:31:20.613000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-09243	date:	2022-02-10T00:00:00
db:	VULHUB	id:	VHN-404123	date:	2022-02-07T00:00:00
db:	JVNDB	id:	JVNDB-2022-004769	date:	2023-05-01T08:12:00
db:	CNNVD	id:	CNNVD-202202-129	date:	2022-03-10T00:00:00
db:	NVD	id:	CVE-2021-43073	date:	2022-02-07T15:47:35.437

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-09243	date:	2022-02-10T00:00:00
db:	VULHUB	id:	VHN-404123	date:	2022-02-02T00:00:00
db:	JVNDB	id:	JVNDB-2022-004769	date:	2023-05-01T00:00:00
db:	CNNVD	id:	CNNVD-202202-129	date:	2022-02-02T00:00:00
db:	NVD	id:	CVE-2021-43073	date:	2022-02-02T11:15:07.937