Sign-up

ID

VAR-202204-0958


CVE

CVE-2021-24009


TITLE

FortiWAN  In  OS  Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-009339

DESCRIPTION

Multiple improper neutralization of special elements used in an OS command vulnerabilities (CWE-78) in the Web GUI of FortiWAN before 4.5.9 may allow an authenticated attacker to execute arbitrary commands on the underlying system's shell via specifically crafted HTTP requests. FortiWAN for, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet FortiWan is a network device of Fortinet Corporation of the United States. Used to perform load balancing and fault tolerance between different networks. Fortinet FortiWAN versions prior to 4.5.9 have an operating system command injection vulnerability

Trust: 2.25

sources: NVD: CVE-2021-24009 // JVNDB: JVNDB-2022-009339 // CNVD: CNVD-2022-47983 // VULHUB: VHN-382727

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2022-47983

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiwanscope:lteversion:4.5.8

Trust: 1.0

vendor:フォーティネットmodel:fortiwanscope:eqversion:4.5.9

Trust: 0.8

vendor:フォーティネットmodel:fortiwanscope:eqversion: -

Trust: 0.8

vendor:fortinetmodel:fortiwanscope:ltversion:4.5.9

Trust: 0.6

sources: CNVD: CNVD-2022-47983 // JVNDB: JVNDB-2022-009339 // NVD: CVE-2021-24009

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-24009
value: HIGH

Trust: 1.0

psirt@fortinet.com: CVE-2021-24009
value: HIGH

Trust: 1.0

NVD: CVE-2021-24009
value: HIGH

Trust: 0.8

CNVD: CNVD-2022-47983
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202204-2437
value: HIGH

Trust: 0.6

VULHUB: VHN-382727
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2021-24009
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2022-47983
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-382727
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-24009
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

psirt@fortinet.com: CVE-2021-24009
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2021-24009
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2022-47983 // VULHUB: VHN-382727 // JVNDB: JVNDB-2022-009339 // CNNVD: CNNVD-202204-2437 // NVD: CVE-2021-24009 // NVD: CVE-2021-24009

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.1

problemtype:OS Command injection (CWE-78) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-382727 // JVNDB: JVNDB-2022-009339 // NVD: CVE-2021-24009

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202204-2437

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202204-2437

PATCH

title:FG-IR-21-060url:https://www.fortiguard.com/psirt/FG-IR-21-060

Trust: 0.8

title:Patch for Fortinet FortiWAN OS Command Injection Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/336046

Trust: 0.6

title:Fortinet FortiWan Fixes for operating system command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=188297

Trust: 0.6

sources: CNVD: CNVD-2022-47983 // JVNDB: JVNDB-2022-009339 // CNNVD: CNNVD-202204-2437

EXTERNAL IDS

db:NVDid:CVE-2021-24009

Trust: 3.9

db:JVNDBid:JVNDB-2022-009339

Trust: 0.8

db:CNVDid:CNVD-2022-47983

Trust: 0.7

db:CS-HELPid:SB2022040534

Trust: 0.6

db:CNNVDid:CNNVD-202204-2437

Trust: 0.6

db:VULHUBid:VHN-382727

Trust: 0.1

sources: CNVD: CNVD-2022-47983 // VULHUB: VHN-382727 // JVNDB: JVNDB-2022-009339 // CNNVD: CNNVD-202204-2437 // NVD: CVE-2021-24009

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-21-060

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-24009

Trust: 0.8

url:http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-24009

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2021-24009/

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022040534

Trust: 0.6

sources: CNVD: CNVD-2022-47983 // VULHUB: VHN-382727 // JVNDB: JVNDB-2022-009339 // CNNVD: CNNVD-202204-2437 // NVD: CVE-2021-24009

SOURCES

db:CNVDid:CNVD-2022-47983
db:VULHUBid:VHN-382727
db:JVNDBid:JVNDB-2022-009339
db:CNNVDid:CNNVD-202204-2437
db:NVDid:CVE-2021-24009

LAST UPDATE DATE

2024-08-14T14:10:52.491000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2022-47983date:2022-06-28T00:00:00
db:VULHUBid:VHN-382727date:2022-04-13T00:00:00
db:JVNDBid:JVNDB-2022-009339date:2023-08-04T05:02:00
db:CNNVDid:CNNVD-202204-2437date:2022-04-14T00:00:00
db:NVDid:CVE-2021-24009date:2022-04-13T18:40:25.697

SOURCES RELEASE DATE

db:CNVDid:CNVD-2022-47983date:2022-06-28T00:00:00
db:VULHUBid:VHN-382727date:2022-04-06T00:00:00
db:JVNDBid:JVNDB-2022-009339date:2023-08-04T00:00:00
db:CNNVDid:CNNVD-202204-2437date:2022-04-06T00:00:00
db:NVDid:CVE-2021-24009date:2022-04-06T10:15:07.827