CVE-2022-42471 — HTTP Request/Response Splitting in Fortinet Fortiweb

CWE-113 — HTTP Request/Response Splitting CWE-74 — Injection4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.3%

top 49.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortiweb

Timeline

PublishedJan 3

Description

An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability [CWE-113] In FortiWeb version 7.0.0 through 7.0.2, FortiWeb version 6.4.0 through 6.4.2, FortiWeb version 6.3.6 through 6.3.20 may allow an authenticated and remote attacker to inject arbitrary headers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶CVEListV5fortinet/fortiweb7.0.0 — 7.0.2+2

▶NVDfortinet/fortiweb6.3.6 — 6.3.21+6

Patches

Patch: fortiguard.com ↗Patch: fortiguard.com ↗

🔴Vulnerability Details

GHSA

GHSA-g39q-wwrq-p5cv: An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability [CWE-113] In FortiWeb version 7↗2023-01-03

▶

CVEList

CVE-2022-42471: An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability [CWE-113] In FortiWeb version 7↗2023-01-03

▶

📋Vendor Advisories

Fortinet

An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability [CWE-113] In Fort...↗2023-01-03

▶