CVE-2022-27489: OS Command Injection
First published: Thu Feb 16 2023(Updated: )
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 7.0.0 through 7.0.3, 5.3.2, 4.2.4 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests.
Credit: psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet Fortiextender Firmware | >=3.2.1<3.2.4 | |
| Fortinet Fortiextender Firmware | >=4.1.1<4.1.9 | |
| Fortinet Fortiextender Firmware | >=4.2.0<4.2.5 | |
| Fortinet Fortiextender Firmware | >=7.0.0<7.0.4 | |
| Fortinet Fortiextender Firmware | =3.0.0 | |
| Fortinet Fortiextender Firmware | =3.0.1 | |
| Fortinet Fortiextender Firmware | =3.0.2 | |
| Fortinet Fortiextender Firmware | =3.1.0 | |
| Fortinet Fortiextender Firmware | =3.1.1 | |
| Fortinet Fortiextender Firmware | =5.3.2 | |
| Fortinet FortiExtender |
Remedy
Upgrade to FortiExtender version 7.2.0 and above Upgrade to FortiExtender version 7.0.4 and above Upgrade to FortiExtender upcoming version 4.2.5 and above Upgrade to FortiExtender upcoming version 4.1.9 and above Upgrade to FortiExtender upcoming version 4.0.3 and above Upgrade to FortiExtender version 3.3.3 and above Upgrade to FortiExtender version 3.2.4 and above
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2022-27489?
CVE-2022-27489 is considered a high severity vulnerability due to its potential for code execution by unauthorized attackers.
How do I fix CVE-2022-27489?
To fix CVE-2022-27489, upgrade your Fortinet FortiExtender firmware to a patched version provided by Fortinet.
What systems are affected by CVE-2022-27489?
CVE-2022-27489 affects Fortinet FortiExtender firmware versions 7.0.0 through 7.0.3, 5.3.2, and 4.2.4 and below.
What kind of attacks can be executed through CVE-2022-27489?
CVE-2022-27489 allows attackers to perform OS command injection, enabling them to execute unauthorized commands via crafted HTTP requests.
Is there a workaround for CVE-2022-27489?
A recommended workaround for CVE-2022-27489 is to implement strict input validation rules to mitigate unauthorized command execution.
- collector/nvd-index
- agent/weakness
- agent/type
- agent/softwarecombine
- agent/severity
- agent/author
- agent/references
- agent/remedy
- agent/description
- agent/event
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- vendor/fortinet
- canonical/fortinet fortiextender firmware
- version/fortinet fortiextender firmware/3.2.1
- version/fortinet fortiextender firmware/3.3.0
- version/fortinet fortiextender firmware/4.1.1
- version/fortinet fortiextender firmware/4.2.0
- version/fortinet fortiextender firmware/7.0.0
- version/fortinet fortiextender firmware/3.0.0
- version/fortinet fortiextender firmware/3.0.1
- version/fortinet fortiextender firmware/3.0.2
- version/fortinet fortiextender firmware/3.1.0
- version/fortinet fortiextender firmware/3.1.1
- version/fortinet fortiextender firmware/5.3.2
- canonical/fortinet fortiextender