CVE-2021-43073
published 2022-02-02CVE-2021-43073: A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.39%
68.8th percentile
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortinet | — | — |
| fortinet | fortiweb | — | — |
| fortinet | fortiweb | >= 5.8.0 < 6.2.7 | 6.2.7 |
| fortinet | fortiweb | >= 6.3.0 < 6.3.17 | 6.3.17 |
| fortinet | fortiweb | >= 6.4.0 < 6.4.2 | 6.4.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is triggered via crafted HTTP requests to Fortinet FortiWeb; monitor for anomalous or malformed HTTP requests targeting FortiWeb management interfaces ↗
- →Classify as OS Command Injection (CWE-78) in FortiWeb; detection logic should focus on HTTP request parameters that may pass unsanitized input to OS-level commands ↗
- ·Affected FortiWeb versions are 6.4.1, 6.4.0, 6.3.15 and below, and 6.2.6 and below; ensure detection and patching scope covers all these branches ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Fortinet
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb versio...
vendor_fortinet·2022-02-02·CVSS 8.8
CVE-2021-43073 [HIGH] CWE-78 A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb versio...
FG-IR-21-180: A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb versio...
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests.
CVEs: CVE-2021-43073
CWEs: CWE-78
CVSS: 8.8 (high)
Affected products: FortiWeb, Fortinet
GHSA
GHSA-qrf2-8ggh-7fqc: A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6
ghsa_unreviewed·2022-02-08
CVE-2021-43073 [HIGH] CWE-78 GHSA-qrf2-8ggh-7fqc: A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-02-02
Published