FortiManager, FortiAnalyzer and FortiPortal - Multiple OS command injection vulnerabilities
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-21-037
Final
1
1
2021-08-03T00:00:00
Current version
2021-08-03T00:00:00
2021-08-03T00:00:00
Multiple OS command injection [CWE-78] vulnerabilities in the command line interface of FortiManager, FortiAnalyzer, and FortiPortal may allow a local authenticated and unprivileged user to execute arbitrary shell commands as root via specifically crafted CLI command parameters.
Execute unauthorized code or commands
FortiManager versions 6.2.7 and below. FortiManager versions 6.4.5 and below. FortiManager versions 5.6.x, 6.2.x and 6.0.x are also impacted. FortiAnalyzer versions 6.2.7 and below. FortiAnalyzer versions 6.4.5 and below. FortiAnalyzer versions 5.6.x, 6.2.x and 6.0.x also are impacted. FortiPortal version 5.2.5 and below. FortiPortal version 5.3.5 and below. FortiPortal version 6.0.4 and below.
Please upgrade to FortiManager version 6.0.11 or above. Please upgrade to FortiManager version 6.2.8 or above. Please upgrade to FortiManager version 6.4.6 or above. Please upgrade to FortiManager version 7.0.0 or above. Please upgrade to FortiAnalyzer version 6.0.11 or above. Please upgrade to FortiAnalyzer version 6.2.8 or above. Please upgrade to FortiAnalyzer version 6.4.6 or above. Please upgrade to FortiAnalyzer version 7.0.0 or above. Please upgrade to FortiPortal version 5.2.6 or above. Please upgrade to FortiPortal version 5.3.6 or above. Please upgrade to FortiPortal version 6.0.5 or above.
Fortinet is pleased to thank Orange-CERT Coordination Center for reporting this vulnerability under responsible disclosure.
FortiAnalyzer 6.4.5
FortiAnalyzer 6.4.4
FortiAnalyzer 6.4.3
FortiAnalyzer 6.4.2
FortiAnalyzer 6.4.1
FortiAnalyzer 6.4.0
FortiAnalyzer 6.2.7
FortiAnalyzer 6.2.6
FortiAnalyzer 6.2.5
FortiAnalyzer 6.2.4
FortiAnalyzer 6.2.3
FortiAnalyzer 6.2.2
FortiAnalyzer 6.2.1
FortiAnalyzer 6.2.0
FortiAnalyzer 6.0.10
FortiAnalyzer 6.0.9
FortiAnalyzer 6.0.8
FortiAnalyzer 6.0.7
FortiAnalyzer 6.0.6
FortiAnalyzer 6.0.5
FortiAnalyzer 6.0.4
FortiAnalyzer 6.0.3
FortiAnalyzer 6.0.2
FortiAnalyzer 6.0.1
FortiAnalyzer 6.0.0
FortiAnalyzer 5.6.11
FortiAnalyzer 5.6.10
FortiAnalyzer 5.6.9
FortiAnalyzer 5.6.8
FortiAnalyzer 5.6.7
FortiAnalyzer 5.6.6
FortiAnalyzer 5.6.5
FortiAnalyzer 5.6.4
FortiAnalyzer 5.6.3
FortiAnalyzer 5.6.2
FortiAnalyzer 5.6.1
FortiAnalyzer 5.6.0
FortiManager 6.4.5
FortiManager 6.4.4
FortiManager 6.4.3
FortiManager 6.4.2
FortiManager 6.4.1
FortiManager 6.4.0
FortiManager 6.2.7
FortiManager 6.2.6
FortiManager 6.2.5
FortiManager 6.2.4
FortiManager 6.2.3
FortiManager 6.2.2
FortiManager 6.2.1
FortiManager 6.2.0
FortiManager 6.0.10
FortiManager 6.0.9
FortiManager 6.0.8
FortiManager 6.0.7
FortiManager 6.0.6
FortiManager 6.0.5
FortiManager 6.0.4
FortiManager 6.0.3
FortiManager 6.0.2
FortiManager 6.0.1
FortiManager 6.0.0
FortiManager 5.6.11
FortiManager 5.6.10
FortiManager 5.6.9
FortiManager 5.6.8
FortiManager 5.6.7
FortiManager 5.6.6
FortiManager 5.6.5
FortiManager 5.6.4
FortiManager 5.6.3
FortiManager 5.6.2
FortiManager 5.6.1
FortiManager 5.6.0
FortiPortal 6.0.4
FortiManager, FortiAnalyzer and FortiPortal - Multiple OS command injection vulnerabilities
CVE-2021-26104
FortiAnalyzer-6.4.5
FortiAnalyzer-6.4.4
FortiAnalyzer-6.4.3
FortiAnalyzer-6.4.2
FortiAnalyzer-6.4.1
FortiAnalyzer-6.4.0
FortiAnalyzer-6.2.7
FortiAnalyzer-6.2.6
FortiAnalyzer-6.2.5
FortiAnalyzer-6.2.4
FortiAnalyzer-6.2.3
FortiAnalyzer-6.2.2
FortiAnalyzer-6.2.1
FortiAnalyzer-6.2.0
FortiAnalyzer-6.0.10
FortiAnalyzer-6.0.9
FortiAnalyzer-6.0.8
FortiAnalyzer-6.0.7
FortiAnalyzer-6.0.6
FortiAnalyzer-6.0.5
FortiAnalyzer-6.0.4
FortiAnalyzer-6.0.3
FortiAnalyzer-6.0.2
FortiAnalyzer-6.0.1
FortiAnalyzer-6.0.0
FortiAnalyzer-5.6.11
FortiAnalyzer-5.6.10
FortiAnalyzer-5.6.9
FortiAnalyzer-5.6.8
FortiAnalyzer-5.6.7
FortiAnalyzer-5.6.6
FortiAnalyzer-5.6.5
FortiAnalyzer-5.6.4
FortiAnalyzer-5.6.3
FortiAnalyzer-5.6.2
FortiAnalyzer-5.6.1
FortiAnalyzer-5.6.0
FortiManager-6.4.5
FortiManager-6.4.4
FortiManager-6.4.3
FortiManager-6.4.2
FortiManager-6.4.1
FortiManager-6.4.0
FortiManager-6.2.7
FortiManager-6.2.6
FortiManager-6.2.5
FortiManager-6.2.4
FortiManager-6.2.3
FortiManager-6.2.2
FortiManager-6.2.1
FortiManager-6.2.0
FortiManager-6.0.10
FortiManager-6.0.9
FortiManager-6.0.8
FortiManager-6.0.7
FortiManager-6.0.6
FortiManager-6.0.5
FortiManager-6.0.4
FortiManager-6.0.3
FortiManager-6.0.2
FortiManager-6.0.1
FortiManager-6.0.0
FortiManager-5.6.11
FortiManager-5.6.10
FortiManager-5.6.9
FortiManager-5.6.8
FortiManager-5.6.7
FortiManager-5.6.6
FortiManager-5.6.5
FortiManager-5.6.4
FortiManager-5.6.3
FortiManager-5.6.2
FortiManager-5.6.1
FortiManager-5.6.0
FortiPortal-6.0.4
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:U/RC:C
https://fortiguard.fortinet.com/psirt/FG-IR-21-037
FortiManager, FortiAnalyzer and FortiPortal - Multiple OS command injection vulnerabilities
Reference>