CVE-2022-27489

Summary

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 7.0.0 through 7.0.3, 5.3.2, 4.2.4 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiExtender7.0.0 <= 7.0.3affected
FortinetFortiExtender5.3.2affected
FortinetFortiExtender4.2.0 <= 4.2.4affected
FortinetFortiExtender4.1.1 <= 4.1.8affected
FortinetFortiExtender4.0.0 <= 4.0.2affected
FortinetFortiExtender3.3.0 <= 3.3.2affected
FortinetFortiExtender3.2.1 <= 3.2.3affected
FortinetFortiExtender3.1.0 <= 3.1.2affected
FortinetFortiExtender3.0.0 <= 3.0.2affected

Weaknesses

  • CWE-78: Execute unauthorized code or commands

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References