Details of VAR-202404-2098

ID

VAR-202404-2098

CVE

CVE-2023-47540

TITLE

Fortinet FortiSandbox OS Command Injection Vulnerability (CNVD-2024-20429)

Trust: 0.6

sources: CNVD: CNVD-2024-20429

DESCRIPTION

An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSandbox version 4.4.0 through 4.4.2 and 4.2.0 through 4.2.6 and 4.0.0 through 4.0.5 and 3.2.0 through 3.2.4 and 3.0.5 through 3.0.7 may allows attacker to execute unauthorized code or commands via CLI. Fortinet FortiSandbox is an APT (Advanced Persistent Threat) protection device from Fortinet. The device provides dual sandbox technology, dynamic threat intelligence system, real-time control panel and reporting. Fortinet FortiSandbox has an operating system command injection vulnerability, which is caused by an operating system command injection vulnerability

Trust: 1.44

sources: NVD: CVE-2023-47540 // CNVD: CNVD-2024-20429

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-20429

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	3.2.0,<=3.2.4	Trust: 0.6
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.0.0,<=4.0.5	Trust: 0.6
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.2.0,<=4.2.6	Trust: 0.6
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	3.0.5,<=3.0.7	Trust: 0.6
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.4.0,<=4.4.2	Trust: 0.6

sources: CNVD: CNVD-2024-20429

CVSS

SEVERITY

CVSSV2

CVSSV3

psirt@fortinet.com:	CVE-2023-47540
value:	MEDIUM
Trust: 1.0
CNVD:	CNVD-2024-20429
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2024-20429
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:L/AC:L/AU:M/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	2.5
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

psirt@fortinet.com:	CVE-2023-47540
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.8
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2024-20429 // NVD: CVE-2023-47540

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.0

sources: NVD: CVE-2023-47540

PATCH

title:

Patch for Fortinet FortiSandbox OS Command Injection Vulnerability (CNVD-2024-20429)

url:

https://www.cnvd.org.cn/patchInfo/show/544886

Trust: 0.6

sources: CNVD: CNVD-2024-20429

EXTERNAL IDS

db:	NVD	id:	CVE-2023-47540	Trust: 1.6
db:	CNVD	id:	CNVD-2024-20429	Trust: 0.6

sources: CNVD: CNVD-2024-20429 // NVD: CVE-2023-47540

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-23-411	Trust: 1.6
url:	https://cxsecurity.com/cveshow/cve-2023-47540/	Trust: 0.6

sources: CNVD: CNVD-2024-20429 // NVD: CVE-2023-47540

SOURCES

db:	CNVD	id:	CNVD-2024-20429
db:	NVD	id:	CVE-2023-47540

LAST UPDATE DATE

2024-10-16T23:14:34.372000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-20429	date:	2024-04-26T00:00:00
db:	NVD	id:	CVE-2023-47540	date:	2024-04-10T13:24:22.187

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-20429	date:	2024-04-25T00:00:00
db:	NVD	id:	CVE-2023-47540	date:	2024-04-09T15:15:27.833