Details of VAR-202210-1453

ID

VAR-202210-1453

CVE

CVE-2022-33874

TITLE

fortinet's FortiTester In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-019308

DESCRIPTION

An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerabilities [CWE-78] in SSH login components of FortiTester 2.3.0 through 3.9.1, 4.0.0 through 4.2.0, 7.0.0 through 7.1.0 may allow an unauthenticated remote attacker to execute arbitrary command in the underlying shell. fortinet's FortiTester for, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2022-33874 // JVNDB: JVNDB-2022-019308 // VULHUB: VHN-426025

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortitester	scope:	gte	version:	7.0.0	Trust: 1.0
vendor:	fortinet	model:	fortitester	scope:	gte	version:	2.3.0	Trust: 1.0
vendor:	fortinet	model:	fortitester	scope:	lt	version:	3.9.2	Trust: 1.0
vendor:	fortinet	model:	fortitester	scope:	gte	version:	4.0.0	Trust: 1.0
vendor:	fortinet	model:	fortitester	scope:	lt	version:	7.1.1	Trust: 1.0
vendor:	fortinet	model:	fortitester	scope:	lt	version:	4.2.1	Trust: 1.0
vendor:	フォーティネット	model:	fortitester	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortitester	scope:	eq	version:	4.0.0 that's all 4.2.1	Trust: 0.8
vendor:	フォーティネット	model:	fortitester	scope:	eq	version:	7.0.0 that's all 7.1.1	Trust: 0.8
vendor:	フォーティネット	model:	fortitester	scope:	eq	version:	2.3.0 that's all 3.9.2	Trust: 0.8

sources: JVNDB: JVNDB-2022-019308 // NVD: CVE-2022-33874

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-33874
value:	CRITICAL
Trust: 1.0
psirt@fortinet.com:	CVE-2022-33874
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2022-33874
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202210-1200
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2022-33874
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2022-33874
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-019308 // CNNVD: CNNVD-202210-1200 // NVD: CVE-2022-33874 // NVD: CVE-2022-33874

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.1
problemtype:	OS Command injection (CWE-78) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-426025 // JVNDB: JVNDB-2022-019308 // NVD: CVE-2022-33874

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202210-1200

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202210-1200

PATCH

title:	FG-IR-22-237	url:	https://www.fortiguard.com/psirt/FG-IR-22-237	Trust: 0.8
title:	FortiTester Fixes for operating system command injection vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=211661	Trust: 0.6

sources: JVNDB: JVNDB-2022-019308 // CNNVD: CNNVD-202210-1200

EXTERNAL IDS

db:	NVD	id:	CVE-2022-33874	Trust: 3.3
db:	JVNDB	id:	JVNDB-2022-019308	Trust: 0.8
db:	CNNVD	id:	CNNVD-202210-1200	Trust: 0.6
db:	VULHUB	id:	VHN-426025	Trust: 0.1

sources: VULHUB: VHN-426025 // JVNDB: JVNDB-2022-019308 // CNNVD: CNNVD-202210-1200 // NVD: CVE-2022-33874

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-22-237	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2022-33874	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-33874/	Trust: 0.6

sources: VULHUB: VHN-426025 // JVNDB: JVNDB-2022-019308 // CNNVD: CNNVD-202210-1200 // NVD: CVE-2022-33874

SOURCES

db:	VULHUB	id:	VHN-426025
db:	JVNDB	id:	JVNDB-2022-019308
db:	CNNVD	id:	CNNVD-202210-1200
db:	NVD	id:	CVE-2022-33874

LAST UPDATE DATE

2024-08-14T15:42:11.552000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-426025	date:	2022-10-21T00:00:00
db:	JVNDB	id:	JVNDB-2022-019308	date:	2023-10-25T05:33:00
db:	CNNVD	id:	CNNVD-202210-1200	date:	2022-10-24T00:00:00
db:	NVD	id:	CVE-2022-33874	date:	2022-10-21T12:59:37.607

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-426025	date:	2022-10-18T00:00:00
db:	JVNDB	id:	JVNDB-2022-019308	date:	2023-10-25T00:00:00
db:	CNNVD	id:	CNNVD-202210-1200	date:	2022-10-18T00:00:00
db:	NVD	id:	CVE-2022-33874	date:	2022-10-18T15:15:09.800