PT-2022-6128 · Fortinet · Fortiweb

Published

2022-02-01

Updated

2022-02-04

CVE-2021-41018

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions FortiWeb versions 6.4.1 and below FortiWeb versions 6.3.15 and below

Description The issue exists due to improper neutralization of special elements used in an operating system command, allowing for os command injection. This can be exploited by a remote attacker using a specially crafted HTTP request to execute unauthorized code or commands.

Recommendations For FortiWeb versions 6.4.1 and below, update to a version above 6.4.1 to resolve the issue. For FortiWeb versions 6.3.15 and below, update to a version above 6.3.15 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable os command injection functionality until a patch is available.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

BDU:2023-00081

CVE-2021-41018

Affected Products

Fortiweb

PT-2022-6128 · Fortinet · Fortiweb

CVE-2021-41018

Weakness Enumeration

Related Identifiers

Affected Products

References · 5