Fortiguard

FortiWeb - Stack-based buffer overflow in command line interpreter

Summary

Multiple stack-based buffer overflows [CWE-121] in the command line interpreter of FortiWeb may allow an authenticated attacker to achieve arbitrary code execution via specially crafted commands.

Affected Products

FortiWeb 6.4.1 and earlier.
FortiWeb 6.3.15 and earlier.
FortiWeb 6.2.5 and earlier.
FortiWeb 6.1.2 and earlier.
FortiWeb 6.0.7 and earlier.

All FortiWeb versions 5.x are also affected.

Solutions

Upgrade to FortiWeb 6.4.2 and later.
Upgrade to FortiWeb 6.3.16 and later.
Upgrade to FortiWeb 6.2.6 and later.

Fixes for older versions to be confirmed.

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.

IR Number	FG-IR-21-132
Date	Feb 1, 2022
Severity	High
CVSSv3 Score	7.4
CVE ID	CVE-2021-36193
CVRF	Download

Network

Files and Endpoint

Application

Additional SOC Services

PSIRT Advisories

FortiWeb - Stack-based buffer overflow in command line interpreter

Summary

Affected Products

Solutions

Acknowledgement

News / Research

Network

Files and Endpoint

Application

Additional SOC Services

FortiGate

FortiDeceptor

FortiClient

FortiMail

FortiEDR

FortiADC

FortiAnalyzer

FortiCWP

FortiWeb

FortiNDR

FortiSandBox

FortiTester

Threat Lookup

PSIRT

Resources

PSIRT Advisories

FortiWeb - Stack-based buffer overflow in command line interpreter

Summary

Affected Products

Solutions

Acknowledgement