CVE-2022-33874 — OS Command Injection in Fortinet Fortitester

CWE-78 — OS Command Injection4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

4.0%

top 11.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortitester Fortinet Fortitester

Timeline

PublishedOct 18

Description

An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerabilities [CWE-78] in SSH login components of FortiTester 2.3.0 through 3.9.1, 4.0.0 through 4.2.0, 7.0.0 through 7.1.0 may allow an unauthenticated remote attacker to execute arbitrary command in the underlying shell.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDfortinet/fortitester2.3.0 — 3.9.2+2

▶CVEListV5fortinet/fortinet_fortitesterFortiTester 2.3.0 through 3.9.1, 4.0.0 through 4.2.0, 7.0.0 through 7.1.0

🔴Vulnerability Details

GHSA

GHSA-hc98-vqpg-62xm: An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerabilities [CWE-78] in SSH login components of Fort↗2022-10-18

▶

CVEList

CVE-2022-33874: An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerabilities [CWE-78] in SSH login components of Fort↗2022-10-10

▶

📋Vendor Advisories

Fortinet

An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerabilities [CWE-78] i...↗2022-10-18

▶