CVE-2022-33872 In some Telnet components of FortiTester, an improper neutralization of special elements may allow an unauthenticated remap of commands.

FortiTester versions prior to 7.1.0 are vulnerable to OS Command Injection [CWE-78] due to improper handling of special characters (/ and \), with the remote execution of arbitrary commands. FortiTester versions 7.1.0 and later are not vulnerable to this issue. FortiTester versions prior to 7.0.0 may be vulnerable to OS Command Injection [CWE-78] due to improper handling of special characters (/ and \), with the remote execution of arbitrary commands. FortiTester versions 7.0.0 and later are not vulnerable to this issue. FortiTester versions prior to 4.2.0 may be vulnerable to OS Command Injection [CWE-78] due to improper handling of special characters (/ and \), with the remote execution of arbitrary commands. FortiTester versions 4.2.0 and later are not vulnerable to this issue. FortiTester versions prior to 7.1.0 are vulnerable to OS Command Injection [CWE-78] due to improper handling of special characters (/ and \), with the remote execution of arbitrary commands. FortiTester versions 7.1.0 and later are not vulnerable to this issue. FortiTester versions prior to 7.0.0 are vulnerable to OS Command Injection [CWE-78] due to improper handling of special characters (/ and \). FortiTester versions 7.0.0

References

[1] Fortinet FortiTester Versions Prior to 7.1.0 Are Vulnerable to OS Command Injection [CWE-78]
[2] New OS Command Injection Vulnerability in FortiTester (CVE-2022-33872)

Issues in CVE-2022 -33872

The issue in CVE-2022-33872 is a vulnerability discovered by Tenable Network Security. This vulnerability is being exploited in the wild targeting FortiTester versions prior to 7.1.0. This CVE has been assigned the identifier CVE-2022-33872, and will be publicly disclosed when any of the following criteria are met:

A patch that resolves this vulnerability is released
A workaround to mitigate this security risk is available

Timeline

Published on: 10/18/2022 15:15:00 UTC
Last modified on: 10/21/2022 13:00:00 UTC

References