Details of VAR-202404-3533

ID

VAR-202404-3533

CVE

CVE-2024-21756

TITLE

fortinet's FortiSandbox In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2024-015432

DESCRIPTION

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSandbox version 4.4.0 through 4.4.3 and 4.2.0 through 4.2.6 and 4.0.0 through 4.0.4 allows attacker to execute unauthorized code or commands via crafted requests.. fortinet's FortiSandbox for, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2024-21756 // JVNDB: JVNDB-2024-015432

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.2.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	4.4.4	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	4.0.5	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.4.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.0.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	4.2.7	Trust: 1.0
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	4.0.0 that's all 4.0.5	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	4.2.0 that's all 4.2.7	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	4.4.0 that's all 4.4.4	Trust: 0.8

sources: JVNDB: JVNDB-2024-015432 // NVD: CVE-2024-21756

CVSS

SEVERITY

CVSSV2

CVSSV3

psirt@fortinet.com:	CVE-2024-21756
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2024-21756
value:	HIGH
Trust: 1.0
NVD:	CVE-2024-21756
value:	HIGH
Trust: 0.8

psirt@fortinet.com:	CVE-2024-21756
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2024-21756
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2024-015432 // NVD: CVE-2024-21756 // NVD: CVE-2024-21756

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	OS Command injection (CWE-78) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-015432 // NVD: CVE-2024-21756

PATCH

title:

FG-IR-23-489

url:

https://fortiguard.com/psirt/FG-IR-23-489

Trust: 0.8

sources: JVNDB: JVNDB-2024-015432

EXTERNAL IDS

db:	NVD	id:	CVE-2024-21756	Trust: 2.6
db:	JVNDB	id:	JVNDB-2024-015432	Trust: 0.8

sources: JVNDB: JVNDB-2024-015432 // NVD: CVE-2024-21756

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-23-489	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2024-21756	Trust: 0.8

sources: JVNDB: JVNDB-2024-015432 // NVD: CVE-2024-21756

SOURCES

db:	JVNDB	id:	JVNDB-2024-015432
db:	NVD	id:	CVE-2024-21756

LAST UPDATE DATE

2024-12-25T23:33:03.122000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2024-015432	date:	2024-12-24T06:15:00
db:	NVD	id:	CVE-2024-21756	date:	2024-12-23T15:02:00.357

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2024-015432	date:	2024-12-24T00:00:00
db:	NVD	id:	CVE-2024-21756	date:	2024-04-09T15:15:31.173