Details of VAR-202310-2004

ID

VAR-202310-2004

CVE

CVE-2023-34986

TITLE

fortinet's FortiWLM In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2023-014134

DESCRIPTION

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specifically crafted HTTP get request parameters. fortinet's FortiWLM for, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet FortiWLM is a wireless manager from the American company Fortinet. Fortinet FortiWLM has a command execution vulnerability. The vulnerability is caused by the application's failure to properly filter special characters, commands, etc. in constructed commands

Trust: 2.16

sources: NVD: CVE-2023-34986 // JVNDB: JVNDB-2023-014134 // CNVD: CNVD-2023-98190

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2023-98190

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortiwlm	scope:	gte	version:	8.6.0	Trust: 1.0
vendor:	fortinet	model:	fortiwlm	scope:	lte	version:	8.5.4	Trust: 1.0
vendor:	fortinet	model:	fortiwlm	scope:	lte	version:	8.6.5	Trust: 1.0
vendor:	fortinet	model:	fortiwlm	scope:	gte	version:	8.5.0	Trust: 1.0
vendor:	フォーティネット	model:	fortiwlm	scope:	eq	version:	8.5.0 to 8.5.4	Trust: 0.8
vendor:	フォーティネット	model:	fortiwlm	scope:	eq	version:	8.6.0 to 8.6.5	Trust: 0.8
vendor:	フォーティネット	model:	fortiwlm	scope:	eq	version:	-	Trust: 0.8
vendor:	fortinet	model:	fortiwlm	scope:	gte	version:	8.6.0,<=8.6.5	Trust: 0.6
vendor:	fortinet	model:	fortiwlm	scope:	gte	version:	8.5.0,<=8.5.4	Trust: 0.6

sources: CNVD: CNVD-2023-98190 // JVNDB: JVNDB-2023-014134 // NVD: CVE-2023-34986

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-34986
value:	HIGH
Trust: 1.0
psirt@fortinet.com:	CVE-2023-34986
value:	HIGH
Trust: 1.0
NVD:	CVE-2023-34986
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2023-98190
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2023-98190
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2023-34986
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2023-34986
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2023-98190 // JVNDB: JVNDB-2023-014134 // NVD: CVE-2023-34986 // NVD: CVE-2023-34986

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	OS Command injection (CWE-78) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-014134 // NVD: CVE-2023-34986

PATCH

title:	FG-IR-23-141	url:	https://www.fortiguard.com/psirt/FG-IR-23-141	Trust: 0.8
title:	Patch for Fortinet FortiSIEM command execution vulnerability (CNVD-2023-98190)	url:	https://www.cnvd.org.cn/patchInfo/show/497416	Trust: 0.6

sources: CNVD: CNVD-2023-98190 // JVNDB: JVNDB-2023-014134

EXTERNAL IDS

db:	NVD	id:	CVE-2023-34986	Trust: 3.2
db:	JVNDB	id:	JVNDB-2023-014134	Trust: 0.8
db:	CNVD	id:	CNVD-2023-98190	Trust: 0.6

sources: CNVD: CNVD-2023-98190 // JVNDB: JVNDB-2023-014134 // NVD: CVE-2023-34986

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2023-34986	Trust: 1.4
url:	https://fortiguard.com/psirt/fg-ir-23-141	Trust: 1.0

sources: CNVD: CNVD-2023-98190 // JVNDB: JVNDB-2023-014134 // NVD: CVE-2023-34986

SOURCES

db:	CNVD	id:	CNVD-2023-98190
db:	JVNDB	id:	JVNDB-2023-014134
db:	NVD	id:	CVE-2023-34986

LAST UPDATE DATE

2024-08-14T15:41:30.727000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2023-98190	date:	2023-12-18T00:00:00
db:	JVNDB	id:	JVNDB-2023-014134	date:	2023-12-22T07:34:00
db:	NVD	id:	CVE-2023-34986	date:	2023-11-07T04:15:51.533

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2023-98190	date:	2023-12-08T00:00:00
db:	JVNDB	id:	JVNDB-2023-014134	date:	2023-12-22T00:00:00
db:	NVD	id:	CVE-2023-34986	date:	2023-10-10T17:15:11.343