Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-27483: Fortiguard

A improper neutralization of special elements used in an os command (‘os command injection’) in Fortinet FortiManager version 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.x and 6.0.x and FortiAnalyzer version 7.0.0 through 7.0.3, version 6.4.0 through 6.4.7, 6.2.x and 6.0.x allows attacker to execute arbitrary shell code as root user via diagnose system CLI commands.

CVE
#vulnerability#auth

** PSIRT Advisories**

FortiAnalyzer & FortiManager - OS command injection vulnerability in CLI

Summary

An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiAnalyzer & FortiManager may allow an authenticated attacker to execute arbitrary shell code as `root` user via `diagnose system` CLI commands.

Affected Products

At least
FortiManager version 7.0.0 through 7.0.3
FortiManager version 6.4.0 through 6.4.7
FortiManager version 6.2.0 through 6.2.9
FortiManager version 6.0.0 through 6.0.11
At least
FortiAnalyzer version 7.0.0 through 7.0.3
FortiAnalyzer version 6.4.0 through 6.4.7
FortiAnalyzer version 6.2.0 through 6.2.9
FortiAnalyzer version 6.0.0 through 6.0.11

Solutions

Upgrade to FortiAnalyzer version 7.2.0 or above,

Upgrade to FortiAnalyzer version 7.0.4 or above,

Upgrade to FortiAnalyzer version 6.4.8 or above.

Upgrade to FortiManager version 7.2.0 or above,

Upgrade to FortiManager version 7.0.4 or above,

Upgrade to FortiManager version 6.4.8 or above.

Acknowledgement

Internally discovered and reported by Théo Leleu of Fortinet Product Security team.

Related news

Fortinet patch batch remedies multiple path traversal vulnerabilities

Four high, six medium, and one low severity issue fixed

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907