CVE-2022-42472

Name of the Vulnerable Software and Affected Versions FortiOS versions 6.0.0 through 6.0.16 FortiOS versions 6.2.0 through 6.2.12 FortiOS versions 6.4.0 through 6.4.11 FortiOS versions 7.0.0 through 7.0.8 FortiOS versions 7.2.0 through 7.2.2 FortiProxy versions 1.1.0 through 1.1.6 FortiProxy versions 1.2.0 through 1.2.13 FortiProxy versions 2.0.0 through 2.0.10 FortiProxy versions 7.0.0 through 7.0.7 FortiProxy versions 7.2.0 through 7.2.1

Description The issue is related to an improper neutralization of CRLF sequences in HTTP headers, also known as 'HTTP Response Splitting'. This may allow an authenticated and remote attacker to perform an HTTP request splitting attack, giving them control over the remaining headers and body of the response. The attacker can inject arbitrary HTTP headers.

Recommendations For FortiOS versions 6.0.0 through 6.0.16, update to a version that fixes the HTTP Response Splitting issue. For FortiOS versions 6.2.0 through 6.2.12, update to a version that fixes the HTTP Response Splitting issue. For FortiOS versions 6.4.0 through 6.4.11, update to a version that fixes the HTTP Response Splitting issue. For FortiOS versions 7.0.0 through 7.0.8, update to a version that fixes the HTTP Response Splitting issue. For FortiOS versions 7.2.0 through 7.2.2, update to a version that fixes the HTTP Response Splitting issue. For FortiProxy versions 1.1.0 through 1.1.6, update to a version that fixes the HTTP Response Splitting issue. For FortiProxy versions 1.2.0 through 1.2.13, update to a version that fixes the HTTP Response Splitting issue. For FortiProxy versions 2.0.0 through 2.0.10, update to a version that fixes the HTTP Response Splitting issue. For FortiProxy versions 7.0.0 through 7.0.7, update to a version that fixes the HTTP Response Splitting issue. For FortiProxy versions 7.2.0 through 7.2.1, update to a version that fixes the HTTP Response Splitting issue. As a temporary workaround, consider restricting access to HTTP endpoints to minimize the risk of exploitation.