Details of VAR-202210-1266

ID

VAR-202210-1266

CVE

CVE-2022-33872

TITLE

fortinet's FortiTester In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-019311

DESCRIPTION

An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerabilities [CWE-78] in Telnet login components of FortiTester 2.3.0 through 3.9.1, 4.0.0 through 4.2.0, 7.0.0 through 7.1.0 may allow an unauthenticated remote attacker to execute arbitrary command in the underlying shell. fortinet's FortiTester for, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2022-33872 // JVNDB: JVNDB-2022-019311 // VULHUB: VHN-426023

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortitester	scope:	gte	version:	7.0.0	Trust: 1.0
vendor:	fortinet	model:	fortitester	scope:	gte	version:	2.3.0	Trust: 1.0
vendor:	fortinet	model:	fortitester	scope:	lt	version:	3.9.2	Trust: 1.0
vendor:	fortinet	model:	fortitester	scope:	gte	version:	4.0.0	Trust: 1.0
vendor:	fortinet	model:	fortitester	scope:	lt	version:	7.1.1	Trust: 1.0
vendor:	fortinet	model:	fortitester	scope:	lt	version:	4.2.1	Trust: 1.0
vendor:	フォーティネット	model:	fortitester	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortitester	scope:	eq	version:	4.0.0 that's all 4.2.1	Trust: 0.8
vendor:	フォーティネット	model:	fortitester	scope:	eq	version:	7.0.0 that's all 7.1.1	Trust: 0.8
vendor:	フォーティネット	model:	fortitester	scope:	eq	version:	2.3.0 that's all 3.9.2	Trust: 0.8

sources: JVNDB: JVNDB-2022-019311 // NVD: CVE-2022-33872

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-33872
value:	CRITICAL
Trust: 1.0
psirt@fortinet.com:	CVE-2022-33872
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2022-33872
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202210-1202
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2022-33872
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2022-33872
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-019311 // CNNVD: CNNVD-202210-1202 // NVD: CVE-2022-33872 // NVD: CVE-2022-33872

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.1
problemtype:	OS Command injection (CWE-78) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-426023 // JVNDB: JVNDB-2022-019311 // NVD: CVE-2022-33872

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202210-1202

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202210-1202

PATCH

title:	FG-IR-22-237	url:	https://fortiguard.com/psirt/FG-IR-22-237	Trust: 0.8
title:	FortiTester Fixes for operating system command injection vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=211663	Trust: 0.6

sources: JVNDB: JVNDB-2022-019311 // CNNVD: CNNVD-202210-1202

EXTERNAL IDS

db:	NVD	id:	CVE-2022-33872	Trust: 3.3
db:	JVNDB	id:	JVNDB-2022-019311	Trust: 0.8
db:	CNNVD	id:	CNNVD-202210-1202	Trust: 0.6
db:	VULHUB	id:	VHN-426023	Trust: 0.1

sources: VULHUB: VHN-426023 // JVNDB: JVNDB-2022-019311 // CNNVD: CNNVD-202210-1202 // NVD: CVE-2022-33872

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-22-237	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2022-33872	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-33872/	Trust: 0.6

sources: VULHUB: VHN-426023 // JVNDB: JVNDB-2022-019311 // CNNVD: CNNVD-202210-1202 // NVD: CVE-2022-33872

SOURCES

db:	VULHUB	id:	VHN-426023
db:	JVNDB	id:	JVNDB-2022-019311
db:	CNNVD	id:	CNNVD-202210-1202
db:	NVD	id:	CVE-2022-33872

LAST UPDATE DATE

2024-08-14T14:02:19.270000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-426023	date:	2022-10-21T00:00:00
db:	JVNDB	id:	JVNDB-2022-019311	date:	2023-10-25T05:39:00
db:	CNNVD	id:	CNNVD-202210-1202	date:	2022-10-24T00:00:00
db:	NVD	id:	CVE-2022-33872	date:	2022-10-21T13:00:32.270

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-426023	date:	2022-10-18T00:00:00
db:	JVNDB	id:	JVNDB-2022-019311	date:	2023-10-25T00:00:00
db:	CNNVD	id:	CNNVD-202210-1202	date:	2022-10-18T00:00:00
db:	NVD	id:	CVE-2022-33872	date:	2022-10-18T15:15:09.687