OS command injection in CLI
Summary
An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in the command line interpreter of FortiWeb & FortiADC may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.
Version | Affected | Solution |
---|---|---|
FortiADC 7.2 | Not affected | Not Applicable |
FortiADC 7.1 | 7.1.0 through 7.1.1 | Upgrade to 7.1.2 or above |
FortiADC 7.0 | 7.0.0 through 7.0.3 | Upgrade to 7.0.4 or above |
FortiADC 6.2 | 6.2 all versions | Migrate to a fixed release |
FortiADC 6.1 | 6.1 all versions | Migrate to a fixed release |
FortiADC 6.0 | 6.0 all versions | Migrate to a fixed release |
FortiADC 5.4 | 5.4 all versions | Migrate to a fixed release |
FortiADC 5.3 | 5.3 all versions | Migrate to a fixed release |
FortiADC 5.2 | 5.2 all versions | Migrate to a fixed release |
FortiADC 5.1 | 5.1 all versions | Migrate to a fixed release |
FortiWeb 7.2 | Not affected | Not Applicable |
FortiWeb 7.0 | 7.0.0 through 7.0.3 | Upgrade to 7.0.4 or above |
Acknowledgement
Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.Timeline
2023-04-11: Initial publication