ID

VAR-202302-1300


CVE

CVE-2022-42472


TITLE

fortinet's  FortiProxy  and  FortiOS  Injection vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-019901

DESCRIPTION

A improper neutralization of crlf sequences in http headers ('http response splitting') in Fortinet FortiOS versions 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.11, 6.2.0 through 6.2.12, 6.0.0 through 6.0.16, FortiProxy 7.2.0 through 7.2.1, 7.0.0 through 7.0.7, 2.0.0 through 2.0.10, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6 may allow an authenticated and remote attacker to perform an HTTP request splitting attack which gives attackers control of the remaining headers and body of the response. fortinet's FortiProxy and FortiOS There is an injection vulnerability in.Information may be obtained and information may be tampered with

Trust: 1.8

sources: NVD: CVE-2022-42472 // JVNDB: JVNDB-2022-019901 // VULHUB: VHN-439113 // VULMON: CVE-2022-42472

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiproxyscope:gteversion:7.0.0

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:lteversion:1.1.6

Trust: 1.0

vendor:fortinetmodel:fortiosscope:eqversion:7.2.1

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:eqversion:7.2.1

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:gteversion:1.1.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:6.2.12

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:lteversion:2.0.10

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:7.0.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:6.2.0

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:lteversion:1.2.13

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:6.0.1

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:6.0.16

Trust: 1.0

vendor:fortinetmodel:fortiosscope:eqversion:7.2.0

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:gteversion:2.0.0

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:eqversion:7.2.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:6.4.0

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:gteversion:1.2.0

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:lteversion:7.0.7

Trust: 1.0

vendor:fortinetmodel:fortiosscope:eqversion:7.2.2

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:7.0.8

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:6.4.11

Trust: 1.0

vendor:フォーティネットmodel:fortiosscope:eqversion:6.4.0 to 6.4.11

Trust: 0.8

vendor:フォーティネットmodel:fortiosscope:eqversion:7.2.0

Trust: 0.8

vendor:フォーティネットmodel:fortiosscope:eqversion:7.2.2

Trust: 0.8

vendor:フォーティネットmodel:fortiproxyscope: - version: -

Trust: 0.8

vendor:フォーティネットmodel:fortiosscope:eqversion:7.0.0 to 7.0.8

Trust: 0.8

vendor:フォーティネットmodel:fortiosscope:eqversion:6.2.0 to 6.2.12

Trust: 0.8

vendor:フォーティネットmodel:fortiosscope:eqversion:7.2.1

Trust: 0.8

vendor:フォーティネットmodel:fortiosscope:eqversion:6.0.1 to 6.0.16

Trust: 0.8

sources: JVNDB: JVNDB-2022-019901 // NVD: CVE-2022-42472

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-42472
value: MEDIUM

Trust: 1.0

psirt@fortinet.com: CVE-2022-42472
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-42472
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202302-1426
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2022-42472
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.5
version: 3.1

Trust: 1.0

psirt@fortinet.com: CVE-2022-42472
baseSeverity: MEDIUM
baseScore: 4.2
vectorString: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.6
impactScore: 2.5
version: 3.1

Trust: 1.0

NVD: CVE-2022-42472
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-019901 // CNNVD: CNNVD-202302-1426 // NVD: CVE-2022-42472 // NVD: CVE-2022-42472

PROBLEMTYPE DATA

problemtype:CWE-113

Trust: 1.0

problemtype:CWE-74

Trust: 1.0

problemtype:injection (CWE-74) [NVD evaluation ]

Trust: 0.8

problemtype:CWE-436

Trust: 0.1

sources: VULHUB: VHN-439113 // JVNDB: JVNDB-2022-019901 // NVD: CVE-2022-42472

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202302-1426

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202302-1426

PATCH

title:FG-IR-22-362url:https://www.fortiguard.com/psirt/FG-IR-22-362

Trust: 0.8

title:Fortinet FortiOS Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=226088

Trust: 0.6

sources: JVNDB: JVNDB-2022-019901 // CNNVD: CNNVD-202302-1426

EXTERNAL IDS

db:NVDid:CVE-2022-42472

Trust: 3.4

db:JVNDBid:JVNDB-2022-019901

Trust: 0.8

db:AUSCERTid:ESB-2023.1052

Trust: 0.6

db:CNNVDid:CNNVD-202302-1426

Trust: 0.6

db:VULHUBid:VHN-439113

Trust: 0.1

db:VULMONid:CVE-2022-42472

Trust: 0.1

sources: VULHUB: VHN-439113 // VULMON: CVE-2022-42472 // JVNDB: JVNDB-2022-019901 // CNNVD: CNNVD-202302-1426 // NVD: CVE-2022-42472

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-22-362

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-42472

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2023.1052

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-42472/

Trust: 0.6

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-439113 // VULMON: CVE-2022-42472 // JVNDB: JVNDB-2022-019901 // CNNVD: CNNVD-202302-1426 // NVD: CVE-2022-42472

SOURCES

db:VULHUBid:VHN-439113
db:VULMONid:CVE-2022-42472
db:JVNDBid:JVNDB-2022-019901
db:CNNVDid:CNNVD-202302-1426
db:NVDid:CVE-2022-42472

LAST UPDATE DATE

2024-08-14T15:05:53.755000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-439113date:2023-02-27T00:00:00
db:VULMONid:CVE-2022-42472date:2023-02-16T00:00:00
db:JVNDBid:JVNDB-2022-019901date:2023-10-30T01:20:00
db:CNNVDid:CNNVD-202302-1426date:2023-02-28T00:00:00
db:NVDid:CVE-2022-42472date:2023-11-07T03:53:22.160

SOURCES RELEASE DATE

db:VULHUBid:VHN-439113date:2023-02-16T00:00:00
db:VULMONid:CVE-2022-42472date:2023-02-16T00:00:00
db:JVNDBid:JVNDB-2022-019901date:2023-10-30T00:00:00
db:CNNVDid:CNNVD-202302-1426date:2023-02-16T00:00:00
db:NVDid:CVE-2022-42472date:2023-02-16T19:15:13.583