{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-27489", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2022-03-21T16:03:48.575Z", "datePublished": "2023-02-16T18:06:40.150Z", "dateUpdated": "2024-10-23T14:46:25.263Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiExtender", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "7.0.0", "lessThanOrEqual": "7.0.3", "status": "affected"}, {"version": "5.3.2", "status": "affected"}, {"versionType": "semver", "version": "4.2.0", "lessThanOrEqual": "4.2.4", "status": "affected"}, {"versionType": "semver", "version": "4.1.1", "lessThanOrEqual": "4.1.8", "status": "affected"}, {"versionType": "semver", "version": "4.0.0", "lessThanOrEqual": "4.0.2", "status": "affected"}, {"versionType": "semver", "version": "3.3.0", "lessThanOrEqual": "3.3.2", "status": "affected"}, {"versionType": "semver", "version": "3.2.1", "lessThanOrEqual": "3.2.3", "status": "affected"}, {"versionType": "semver", "version": "3.1.0", "lessThanOrEqual": "3.1.2", "status": "affected"}, {"versionType": "semver", "version": "3.0.0", "lessThanOrEqual": "3.0.2", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 7.0.0 through 7.0.3, 5.3.2, 4.2.4 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests."}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2023-02-16T18:06:40.150Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "Execute unauthorized code or commands", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C"}}], "solutions": [{"lang": "en", "value": "Upgrade to FortiExtender version 7.2.0 and above\r\nUpgrade to FortiExtender version 7.0.4 and above\r\nUpgrade to FortiExtender upcoming version 4.2.5 and above\r\nUpgrade to FortiExtender upcoming version 4.1.9 and above\r\nUpgrade to FortiExtender upcoming version 4.0.3 and above\r\nUpgrade to FortiExtender version 3.3.3 and above\r\nUpgrade to FortiExtender version 3.2.4 and above"}], "references": [{"name": "https://fortiguard.com/psirt/FG-IR-22-048", "url": "https://fortiguard.com/psirt/FG-IR-22-048"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:32:57.924Z"}, "title": "CVE Program Container", "references": [{"name": "https://fortiguard.com/psirt/FG-IR-22-048", "url": "https://fortiguard.com/psirt/FG-IR-22-048", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-23T14:11:42.419938Z", "id": "CVE-2022-27489", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-23T14:46:25.263Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://fortiguard.com/psirt/FG-IR-22-048", "name": "https://fortiguard.com/psirt/FG-IR-22-048", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:32:57.924Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-27489", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-23T14:11:42.419938Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-23T14:15:20.598Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Fortinet", "product": "FortiExtender", "versions": [{"status": "affected", "version": "7.0.0", "versionType": "semver", "lessThanOrEqual": "7.0.3"}, {"status": "affected", "version": "5.3.2"}, {"status": "affected", "version": "4.2.0", "versionType": "semver", "lessThanOrEqual": "4.2.4"}, {"status": "affected", "version": "4.1.1", "versionType": "semver", "lessThanOrEqual": "4.1.8"}, {"status": "affected", "version": "4.0.0", "versionType": "semver", "lessThanOrEqual": "4.0.2"}, {"status": "affected", "version": "3.3.0", "versionType": "semver", "lessThanOrEqual": "3.3.2"}, {"status": "affected", "version": "3.2.1", "versionType": "semver", "lessThanOrEqual": "3.2.3"}, {"status": "affected", "version": "3.1.0", "versionType": "semver", "lessThanOrEqual": "3.1.2"}, {"status": "affected", "version": "3.0.0", "versionType": "semver", "lessThanOrEqual": "3.0.2"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to FortiExtender version 7.2.0 and above\r\nUpgrade to FortiExtender version 7.0.4 and above\r\nUpgrade to FortiExtender upcoming version 4.2.5 and above\r\nUpgrade to FortiExtender upcoming version 4.1.9 and above\r\nUpgrade to FortiExtender upcoming version 4.0.3 and above\r\nUpgrade to FortiExtender version 3.3.3 and above\r\nUpgrade to FortiExtender version 3.2.4 and above"}], "references": [{"url": "https://fortiguard.com/psirt/FG-IR-22-048", "name": "https://fortiguard.com/psirt/FG-IR-22-048"}], "descriptions": [{"lang": "en", "value": "A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 7.0.0 through 7.0.3, 5.3.2, 4.2.4 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "Execute unauthorized code or commands"}]}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2023-02-16T18:06:40.150Z"}}}, "cveMetadata": {"cveId": "CVE-2022-27489", "state": "PUBLISHED", "dateUpdated": "2024-10-23T14:46:25.263Z", "dateReserved": "2022-03-21T16:03:48.575Z", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "datePublished": "2023-02-16T18:06:40.150Z", "assignerShortName": "fortinet"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fortinet:fortiextender_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D7C7C2CF-4343-4DC6-A9CC-2AD085FF4719", "versionEndExcluding": "3.2.4", "versionStartIncluding": "3.2.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:fortinet:fortiextender_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "BF3BA216-3C90-451D-99AC-DC64259A1312", "versionEndExcluding": "3.3.3", "versionStartIncluding": "3.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:fortinet:fortiextender_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6594D0E-3A47-4E9F-B020-FBC2C1AED759", "versionEndExcluding": "4.1.9", "versionStartIncluding": "4.1.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:fortinet:fortiextender_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "48A96D42-A019-422C-AB50-7CAF378FDDE5", "versionEndExcluding": "4.2.5", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:fortinet:fortiextender_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "46532FCC-760C-43ED-8DC4-81427D279980", "versionEndExcluding": "7.0.4", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:fortinet:fortiextender_firmware:3.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "39A64727-9B11-409B-94D6-D46FA7BBADE1", "vulnerable": true}, {"criteria": "cpe:2.3:o:fortinet:fortiextender_firmware:3.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "04C4747E-18B3-4114-81E0-1761DA523436", "vulnerable": true}, {"criteria": "cpe:2.3:o:fortinet:fortiextender_firmware:3.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "4CAC470E-2A7D-4E6B-B6F4-2FE3F3977DB8", "vulnerable": true}, {"criteria": "cpe:2.3:o:fortinet:fortiextender_firmware:3.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "6FBB6781-A4B9-4F52-92A4-12CC0A4042B6", "vulnerable": true}, {"criteria": "cpe:2.3:o:fortinet:fortiextender_firmware:3.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "AA975BB7-6BAE-431F-ACAC-56F8E0021E54", "vulnerable": true}, {"criteria": "cpe:2.3:o:fortinet:fortiextender_firmware:5.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "1CC2C9D3-01FD-4D5B-AE85-05B0CA6C99AA", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fortinet:fortiextender:-:*:*:*:*:*:*:*", "matchCriteriaId": "A0617C1D-E321-409D-B54B-775E854A03C1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 7.0.0 through 7.0.3, 5.3.2, 4.2.4 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests."}], "id": "CVE-2022-27489", "lastModified": "2024-11-21T06:55:49.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "psirt@fortinet.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-16T19:15:12.190", "references": [{"source": "psirt@fortinet.com", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-22-048"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-22-048"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "psirt@fortinet.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}