Sign-up

ID

VAR-202302-1493


CVE

CVE-2022-27489


TITLE

fortinet's  FortiExtender  in the firmware  OS  Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2023-004478

DESCRIPTION

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 7.0.0 through 7.0.3, 5.3.2, 4.2.4 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests. fortinet's FortiExtender The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet FortiExtender is a wireless WAN (Wide Area Network) extender device from Fortinet, an American company

Trust: 2.25

sources: NVD: CVE-2022-27489 // JVNDB: JVNDB-2023-004478 // CNVD: CNVD-2024-37345 // VULMON: CVE-2022-27489

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2024-37345

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiextenderscope:eqversion:5.3.2

Trust: 1.6

vendor:fortinetmodel:fortiextenderscope:ltversion:7.0.4

Trust: 1.0

vendor:fortinetmodel:fortiextenderscope:eqversion:3.1.0

Trust: 1.0

vendor:fortinetmodel:fortiextenderscope:ltversion:4.1.9

Trust: 1.0

vendor:fortinetmodel:fortiextenderscope:eqversion:3.0.1

Trust: 1.0

vendor:fortinetmodel:fortiextenderscope:ltversion:3.2.4

Trust: 1.0

vendor:fortinetmodel:fortiextenderscope:eqversion:3.1.1

Trust: 1.0

vendor:fortinetmodel:fortiextenderscope:gteversion:4.2.0

Trust: 1.0

vendor:fortinetmodel:fortiextenderscope:ltversion:3.3.3

Trust: 1.0

vendor:fortinetmodel:fortiextenderscope:gteversion:3.3.0

Trust: 1.0

vendor:fortinetmodel:fortiextenderscope:eqversion:3.0.0

Trust: 1.0

vendor:fortinetmodel:fortiextenderscope:gteversion:7.0.0

Trust: 1.0

vendor:fortinetmodel:fortiextenderscope:gteversion:3.2.1

Trust: 1.0

vendor:fortinetmodel:fortiextenderscope:ltversion:4.2.5

Trust: 1.0

vendor:fortinetmodel:fortiextenderscope:eqversion:3.0.2

Trust: 1.0

vendor:fortinetmodel:fortiextenderscope:gteversion:4.1.1

Trust: 1.0

vendor:フォーティネットmodel:fortiextenderscope:eqversion:fortiextender firmware 4.1.1 that's all 4.1.9

Trust: 0.8

vendor:フォーティネットmodel:fortiextenderscope:eqversion:fortiextender firmware 4.2.0 that's all 4.2.5

Trust: 0.8

vendor:フォーティネットmodel:fortiextenderscope:eqversion:fortiextender firmware 3.0.2

Trust: 0.8

vendor:フォーティネットmodel:fortiextenderscope:eqversion: -

Trust: 0.8

vendor:フォーティネットmodel:fortiextenderscope:eqversion:fortiextender firmware 3.0.1

Trust: 0.8

vendor:フォーティネットmodel:fortiextenderscope:eqversion:fortiextender firmware 3.1.0

Trust: 0.8

vendor:フォーティネットmodel:fortiextenderscope:eqversion:fortiextender firmware 3.3.0 that's all 3.3.3

Trust: 0.8

vendor:フォーティネットmodel:fortiextenderscope:eqversion:fortiextender firmware 7.0.0 that's all 7.0.4

Trust: 0.8

vendor:フォーティネットmodel:fortiextenderscope:eqversion:fortiextender firmware 3.2.1 that's all 3.2.4

Trust: 0.8

vendor:フォーティネットmodel:fortiextenderscope:eqversion:fortiextender firmware 3.1.1

Trust: 0.8

vendor:フォーティネットmodel:fortiextenderscope:eqversion:fortiextender firmware 3.0.0

Trust: 0.8

vendor:フォーティネットmodel:fortiextenderscope:eqversion:fortiextender firmware 5.3.2

Trust: 0.8

vendor:fortinetmodel:fortiextenderscope:lteversion:<=4.2.4

Trust: 0.6

vendor:fortinetmodel:fortiextenderscope:gteversion:7.0.0,<=7.0.3

Trust: 0.6

sources: CNVD: CNVD-2024-37345 // JVNDB: JVNDB-2023-004478 // NVD: CVE-2022-27489

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-27489
value: HIGH

Trust: 1.0

psirt@fortinet.com: CVE-2022-27489
value: HIGH

Trust: 1.0

NVD: CVE-2022-27489
value: HIGH

Trust: 0.8

CNVD: CNVD-2024-37345
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202302-1448
value: HIGH

Trust: 0.6

CNVD: CNVD-2024-37345
severity: HIGH
baseScore: 8.3
vectorString: AV:N/AC:L/AU:M/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: MULTIPLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2022-27489
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.1

Trust: 2.0

NVD: CVE-2022-27489
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2024-37345 // JVNDB: JVNDB-2023-004478 // CNNVD: CNNVD-202302-1448 // NVD: CVE-2022-27489 // NVD: CVE-2022-27489

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.0

problemtype:OS Command injection (CWE-78) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-004478 // NVD: CVE-2022-27489

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202302-1448

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202302-1448

PATCH

title:fortiguard.com (FG-IR-22-048)url:https://fortiguard.com/psirt/FG-IR-22-048

Trust: 0.8

title:Patch for Fortinet FortiExtender Command Injection Vulnerability (CNVD-2024-37345)url:https://www.cnvd.org.cn/patchInfo/show/587506

Trust: 0.6

title:Fortinet FortiExtender Fixes for operating system command injection vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=226814

Trust: 0.6

sources: CNVD: CNVD-2024-37345 // JVNDB: JVNDB-2023-004478 // CNNVD: CNNVD-202302-1448

EXTERNAL IDS

db:NVDid:CVE-2022-27489

Trust: 3.9

db:JVNDBid:JVNDB-2023-004478

Trust: 0.8

db:CNVDid:CNVD-2024-37345

Trust: 0.6

db:CNNVDid:CNNVD-202302-1448

Trust: 0.6

db:VULMONid:CVE-2022-27489

Trust: 0.1

sources: CNVD: CNVD-2024-37345 // VULMON: CVE-2022-27489 // JVNDB: JVNDB-2023-004478 // CNNVD: CNNVD-202302-1448 // NVD: CVE-2022-27489

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-22-048

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2022-27489

Trust: 1.4

url:https://cxsecurity.com/cveshow/cve-2022-27489/

Trust: 0.6

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2024-37345 // VULMON: CVE-2022-27489 // JVNDB: JVNDB-2023-004478 // CNNVD: CNNVD-202302-1448 // NVD: CVE-2022-27489

SOURCES

db:CNVDid:CNVD-2024-37345
db:VULMONid:CVE-2022-27489
db:JVNDBid:JVNDB-2023-004478
db:CNNVDid:CNNVD-202302-1448
db:NVDid:CVE-2022-27489

LAST UPDATE DATE

2024-09-05T22:53:09.506000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2024-37345date:2024-09-04T00:00:00
db:VULMONid:CVE-2022-27489date:2023-02-16T00:00:00
db:JVNDBid:JVNDB-2023-004478date:2023-10-30T07:37:00
db:CNNVDid:CNNVD-202302-1448date:2023-02-27T00:00:00
db:NVDid:CVE-2022-27489date:2023-11-07T03:45:20.570

SOURCES RELEASE DATE

db:CNVDid:CNVD-2024-37345date:2023-09-04T00:00:00
db:VULMONid:CVE-2022-27489date:2023-02-16T00:00:00
db:JVNDBid:JVNDB-2023-004478date:2023-10-30T00:00:00
db:CNNVDid:CNNVD-202302-1448date:2023-02-16T00:00:00
db:NVDid:CVE-2022-27489date:2023-02-16T19:15:12.190