ID

VAR-202304-0925


CVE

CVE-2022-27485


TITLE

fortinet's  FortiSandbox  In  SQL  Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-022450

DESCRIPTION

A improper neutralization of special elements used in an sql command ('sql injection') vulnerability [CWE-89] in Fortinet FortiSandbox version 4.2.0, 4.0.0 through 4.0.2, 3.2.0 through 3.2.3, 3.1.x and 3.0.x allows a remote and authenticated attacker with read permission to retrieve arbitrary files from the underlying Linux system via a crafted HTTP request. fortinet's FortiSandbox for, SQL There is an injection vulnerability.Information may be obtained

Trust: 1.62

sources: NVD: CVE-2022-27485 // JVNDB: JVNDB-2022-022450

AFFECTED PRODUCTS

vendor:fortinetmodel:fortisandboxscope:lteversion:3.0.7

Trust: 1.0

vendor:fortinetmodel:fortisandboxscope:ltversion:3.2.4

Trust: 1.0

vendor:fortinetmodel:fortisandboxscope:gteversion:3.1.0

Trust: 1.0

vendor:fortinetmodel:fortisandboxscope:gteversion:3.0.1

Trust: 1.0

vendor:fortinetmodel:fortisandboxscope:ltversion:4.0.3

Trust: 1.0

vendor:fortinetmodel:fortisandboxscope:eqversion:4.2.0

Trust: 1.0

vendor:fortinetmodel:fortisandboxscope:gteversion:4.0.0

Trust: 1.0

vendor:フォーティネットmodel:fortisandboxscope:eqversion:3.1.0 that's all 3.2.4

Trust: 0.8

vendor:フォーティネットmodel:fortisandboxscope:eqversion: -

Trust: 0.8

vendor:フォーティネットmodel:fortisandboxscope:eqversion:4.2.0

Trust: 0.8

vendor:フォーティネットmodel:fortisandboxscope:eqversion:3.0.1 to 3.0.7

Trust: 0.8

vendor:フォーティネットmodel:fortisandboxscope:eqversion:4.0.0 that's all 4.0.3

Trust: 0.8

sources: JVNDB: JVNDB-2022-022450 // NVD: CVE-2022-27485

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-27485
value: MEDIUM

Trust: 1.0

psirt@fortinet.com: CVE-2022-27485
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-27485
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202304-774
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2022-27485
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 2.0

NVD: CVE-2022-27485
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-022450 // CNNVD: CNNVD-202304-774 // NVD: CVE-2022-27485 // NVD: CVE-2022-27485

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.0

problemtype:SQL injection (CWE-89) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-022450 // NVD: CVE-2022-27485

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202304-774

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202304-774

PATCH

title:FG-IR-22-060url:https://www.fortiguard.com/psirt/FG-IR-22-060

Trust: 0.8

title:Fortinet FortiSandbox SQL Repair measures for injecting vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=234193

Trust: 0.6

sources: JVNDB: JVNDB-2022-022450 // CNNVD: CNNVD-202304-774

EXTERNAL IDS

db:NVDid:CVE-2022-27485

Trust: 3.2

db:JVNDBid:JVNDB-2022-022450

Trust: 0.8

db:CNNVDid:CNNVD-202304-774

Trust: 0.6

sources: JVNDB: JVNDB-2022-022450 // CNNVD: CNNVD-202304-774 // NVD: CVE-2022-27485

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-22-060

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2022-27485

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-27485/

Trust: 0.6

sources: JVNDB: JVNDB-2022-022450 // CNNVD: CNNVD-202304-774 // NVD: CVE-2022-27485

SOURCES

db:JVNDBid:JVNDB-2022-022450
db:CNNVDid:CNNVD-202304-774
db:NVDid:CVE-2022-27485

LAST UPDATE DATE

2024-08-14T13:41:55.057000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2022-022450date:2023-11-17T05:34:00
db:CNNVDid:CNNVD-202304-774date:2023-04-19T00:00:00
db:NVDid:CVE-2022-27485date:2023-11-07T03:45:20.327

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2022-022450date:2023-11-17T00:00:00
db:CNNVDid:CNNVD-202304-774date:2023-04-11T00:00:00
db:NVDid:CVE-2022-27485date:2023-04-11T17:15:07.130