Details of VAR-202301-0415

ID

VAR-202301-0415

CVE

CVE-2022-39947

TITLE

FortiADC In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2023-001489

DESCRIPTION

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiADC version 7.0.0 through 7.0.2, FortiADC version 6.2.0 through 6.2.3, FortiADC version version 6.1.0 through 6.1.6, FortiADC version 6.0.0 through 6.0.4, FortiADC version 5.4.0 through 5.4.5 may allow an attacker to execute unauthorized code or commands via specifically crafted HTTP requests. FortiADC for, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.8

sources: NVD: CVE-2022-39947 // JVNDB: JVNDB-2023-001489 // VULHUB: VHN-435743 // VULMON: CVE-2022-39947

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortiadc	scope:	gte	version:	6.1.0	Trust: 1.0
vendor:	fortinet	model:	fortiadc	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiadc	scope:	gte	version:	5.4.0	Trust: 1.0
vendor:	fortinet	model:	fortiadc	scope:	eq	version:	7.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiadc	scope:	eq	version:	7.0.1	Trust: 1.0
vendor:	fortinet	model:	fortiadc	scope:	gte	version:	6.2.0	Trust: 1.0
vendor:	fortinet	model:	fortiadc	scope:	lte	version:	5.4.5	Trust: 1.0
vendor:	fortinet	model:	fortiadc	scope:	lte	version:	6.0.4	Trust: 1.0
vendor:	fortinet	model:	fortiadc	scope:	lte	version:	6.2.3	Trust: 1.0
vendor:	fortinet	model:	fortiadc	scope:	lte	version:	6.1.6	Trust: 1.0
vendor:	フォーティネット	model:	fortiadc	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortiadc	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2023-001489 // NVD: CVE-2022-39947

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-39947
value:	HIGH
Trust: 1.0
psirt@fortinet.com:	CVE-2022-39947
value:	HIGH
Trust: 1.0
OTHER:	JVNDB-2023-001489
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202301-132
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2022-39947
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2023-001489
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-001489 // CNNVD: CNNVD-202301-132 // NVD: CVE-2022-39947 // NVD: CVE-2022-39947

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.1
problemtype:	OS Command injection (CWE-78) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-435743 // JVNDB: JVNDB-2023-001489 // NVD: CVE-2022-39947

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202301-132

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202301-132

PATCH

title:	FG-IR-22-061	url:	https://www.fortiguard.com/psirt/FG-IR-22-061	Trust: 0.8
title:	Fortinet FortiADC Fixes for operating system command injection vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=220848	Trust: 0.6
title:	-	url:	https://github.com/Live-Hack-CVE/CVE-2022-39947	Trust: 0.1

sources: VULMON: CVE-2022-39947 // JVNDB: JVNDB-2023-001489 // CNNVD: CNNVD-202301-132

EXTERNAL IDS

db:	NVD	id:	CVE-2022-39947	Trust: 3.4
db:	JVNDB	id:	JVNDB-2023-001489	Trust: 0.8
db:	AUSCERT	id:	ESB-2023.0066	Trust: 0.6
db:	CNNVD	id:	CNNVD-202301-132	Trust: 0.6
db:	VULHUB	id:	VHN-435743	Trust: 0.1
db:	VULMON	id:	CVE-2022-39947	Trust: 0.1

sources: VULHUB: VHN-435743 // VULMON: CVE-2022-39947 // JVNDB: JVNDB-2023-001489 // CNNVD: CNNVD-202301-132 // NVD: CVE-2022-39947

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-22-061	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-39947	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-39947/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2023.0066	Trust: 0.6
url:	https://github.com/live-hack-cve/cve-2022-39947	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-435743 // VULMON: CVE-2022-39947 // JVNDB: JVNDB-2023-001489 // CNNVD: CNNVD-202301-132 // NVD: CVE-2022-39947

SOURCES

db:	VULHUB	id:	VHN-435743
db:	VULMON	id:	CVE-2022-39947
db:	JVNDB	id:	JVNDB-2023-001489
db:	CNNVD	id:	CNNVD-202301-132
db:	NVD	id:	CVE-2022-39947

LAST UPDATE DATE

2024-08-14T13:52:51.262000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-435743	date:	2023-01-10T00:00:00
db:	VULMON	id:	CVE-2022-39947	date:	2023-01-04T00:00:00
db:	JVNDB	id:	JVNDB-2023-001489	date:	2023-04-11T08:43:00
db:	CNNVD	id:	CNNVD-202301-132	date:	2023-01-11T00:00:00
db:	NVD	id:	CVE-2022-39947	date:	2023-11-07T03:50:40.860

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-435743	date:	2023-01-03T00:00:00
db:	VULMON	id:	CVE-2022-39947	date:	2023-01-03T00:00:00
db:	JVNDB	id:	JVNDB-2023-001489	date:	2023-04-11T00:00:00
db:	CNNVD	id:	CNNVD-202301-132	date:	2023-01-03T00:00:00
db:	NVD	id:	CVE-2022-39947	date:	2023-01-03T17:15:10.400