CVE-2021-26104: OS Command Injection
First published: Wed Apr 06 2022(Updated: )
Multiple OS command injection (CWE-78) vulnerabilities in the command line interface of FortiManager 6.2.7 and below, 6.4.5 and below and all versions of 6.2.x, 6.0.x and 5.6.x, FortiAnalyzer 6.2.7 and below, 6.4.5 and below and all versions of 6.2.x, 6.0.x and 5.6.x, and FortiPortal 5.2.5 and below, 5.3.5 and below and 6.0.4 and below may allow a local authenticated and unprivileged user to execute arbitrary shell commands as root via specifically crafted CLI command parameters.
Credit: psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiAnalyzer | >=5.6.0<6.0.11 | |
| Fortinet FortiAnalyzer | >=6.2.0<6.2.8 | |
| Fortinet FortiAnalyzer | >=6.4.0<6.4.6 | |
| Fortinet FortiManager | >=5.6.0<6.0.11 | |
| Fortinet FortiManager | >=6.2.0<6.2.8 | |
| Fortinet FortiManager | >=6.4.0<6.4.6 | |
| Fortinet FortiPortal | <5.2.6 | |
| Fortinet FortiPortal | >=5.3.0<5.3.6 | |
| Fortinet FortiPortal | >=6.0.0<6.0.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-26104 vulnerability?
CVE-2021-26104 is a multiple OS command injection (CWE-78) vulnerabilities in the command line interface of FortiManager, FortiAnalyzer, and FortiPortal.
What is the severity of CVE-2021-26104?
CVE-2021-26104 has a severity rating of 7.8 (high).
Which software versions are affected by CVE-2021-26104?
FortiManager versions 6.2.7 and below, 6.4.5 and below, and all versions of 6.2.x, 6.0.x, and 5.6.x. FortiAnalyzer versions 6.2.7 and below, 6.4.5 and below, and all versions of 6.2.x, 6.0.x, and 5.6.x. FortiPortal versions 5.2.5 and below.
How can I fix the CVE-2021-26104 vulnerability?
To fix the CVE-2021-26104 vulnerability, upgrade FortiManager to version 6.2.8 or higher, 6.4.6 or higher, or use the provided workaround. Upgrade FortiAnalyzer to version 6.2.8 or higher, 6.4.6 or higher, or use the provided workaround. Upgrade FortiPortal to version 5.2.6 or higher, 5.3.6 or higher, 6.0.5 or higher, or use the provided workaround.
Where can I find more information about CVE-2021-26104?
You can find more information about CVE-2021-26104 on the FortiGuard advisory page and the GitHub security advisory page.
- collector/nvd-index
- agent/references
- agent/weakness
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/author
- agent/description
- agent/first-publish-date
- agent/tags
- agent/event
- agent/softwarecombine
- vendor/fortinet
- canonical/fortinet fortianalyzer
- version/fortinet fortianalyzer/5.6.0
- version/fortinet fortianalyzer/6.2.0
- version/fortinet fortianalyzer/6.4.0
- canonical/fortinet fortimanager
- version/fortinet fortimanager/5.6.0
- version/fortinet fortimanager/6.2.0
- version/fortinet fortimanager/6.4.0
- canonical/fortinet fortiportal
- version/fortinet fortiportal/5.3.0
- version/fortinet fortiportal/6.0.0