Details of VAR-202404-3263

ID

VAR-202404-3263

CVE

CVE-2024-21755

TITLE

fortinet's FortiSandbox In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2024-015455

DESCRIPTION

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSandbox version 4.4.0 through 4.4.3 and 4.2.0 through 4.2.6 and 4.0.0 through 4.0.4 allows attacker to execute unauthorized code or commands via crafted requests.. fortinet's FortiSandbox for, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2024-21755 // JVNDB: JVNDB-2024-015455

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.2.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	4.4.4	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	4.0.5	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.4.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.0.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	4.2.7	Trust: 1.0
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	4.0.0 that's all 4.0.5	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	4.2.0 that's all 4.2.7	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	4.4.0 that's all 4.4.4	Trust: 0.8

sources: JVNDB: JVNDB-2024-015455 // NVD: CVE-2024-21755

CVSS

SEVERITY

CVSSV2

CVSSV3

psirt@fortinet.com:	CVE-2024-21755
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2024-21755
value:	HIGH
Trust: 1.0
NVD:	CVE-2024-21755
value:	HIGH
Trust: 0.8

psirt@fortinet.com:	CVE-2024-21755
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2024-21755
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2024-015455 // NVD: CVE-2024-21755 // NVD: CVE-2024-21755

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	OS Command injection (CWE-78) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-015455 // NVD: CVE-2024-21755

PATCH

title:

FG-IR-23-489

url:

https://fortiguard.com/psirt/FG-IR-23-489

Trust: 0.8

sources: JVNDB: JVNDB-2024-015455

EXTERNAL IDS

db:	NVD	id:	CVE-2024-21755	Trust: 2.6
db:	JVNDB	id:	JVNDB-2024-015455	Trust: 0.8

sources: JVNDB: JVNDB-2024-015455 // NVD: CVE-2024-21755

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-23-489	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2024-21755	Trust: 0.8

sources: JVNDB: JVNDB-2024-015455 // NVD: CVE-2024-21755

SOURCES

db:	JVNDB	id:	JVNDB-2024-015455
db:	NVD	id:	CVE-2024-21755

LAST UPDATE DATE

2024-12-25T23:21:19.072000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2024-015455	date:	2024-12-24T06:44:00
db:	NVD	id:	CVE-2024-21755	date:	2024-12-23T14:58:10.797

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2024-015455	date:	2024-12-24T00:00:00
db:	NVD	id:	CVE-2024-21755	date:	2024-04-09T15:15:30.977