PT-2022-21876 · Fortinet · Fortitester
Published
2022-10-10
·
Updated
2022-10-21
·
CVE-2022-33872
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
FortiTester versions 2.3.0 through 3.9.1
FortiTester versions 4.0.0 through 4.2.0
FortiTester versions 7.0.0 through 7.1.0
Description
The issue is related to an improper neutralization of special elements used in an OS Command, which may allow an unauthenticated remote attacker to execute arbitrary commands in the underlying shell. This is due to 'OS Command Injection' vulnerabilities in the Telnet login components.
Recommendations
For FortiTester versions 2.3.0 through 3.9.1, consider disabling the Telnet login component until a patch is available.
For FortiTester versions 4.0.0 through 4.2.0, restrict access to the Telnet login component to minimize the risk of exploitation.
For FortiTester versions 7.0.0 through 7.1.0, avoid using the Telnet login component in production environments until the issue is resolved.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fortitester