CVE-2022-33874 Insecure neutralization of special elements in SSH login components may allow unauthenticated remote attackers to gain remote admin access.

This vulnerability may be leveraged by threat actors to inject special commands that may cause denial of service (DoS) or possibly execute arbitrary commands. FortiTester versions prior to 4.2.0 do not properly neutralize special characters on the command line (e.g. spaces, ' ', etc.). This may be exploited by an unauthenticated remote attacker to inject a special command that may cause FortiTester to crash or do something unintended. FortiTester versions prior to 4.2.0 allow remote attackers to inject special commands that cause FortiTester to crash or do something unintended. FortiTester versions prior to 4.2.0 do not properly neutralize special characters on the command line (e.g. spaces, ' ', etc.). This may be exploited by an unauthenticated remote attacker to inject a special command that may cause FortiTester to crash or do something unintended. FortiTester versions prior to 4.2.0 allow remote attackers to inject special commands that cause FortiTester to crash or do something unintended. FortiTester versions prior to 4.2.0 do not properly neutralize special characters on the command line (e.g. spaces, ' ', etc.). This may be exploited by an unauthenticated remote attacker to inject a special command that may cause FortiTester to crash or do something unintended. FortiTester versions prior to 4.2.0 allow remote attackers to

New Features for FortiTester

The following new features are available in FortiTester 4.2.0:
- Support for the new version of MongoDB (3.4)
- Improved remote vulnerability scanning

References CVE-2022-33874

https://fortinet.com/security-advisories/CVE-2022-33874
FortiTester versions prior to 4.2.0 do not properly neutralize special characters on the command line (e.g. spaces, ' ', etc.). This may be exploited by an unauthenticated remote attacker to inject a special command that may cause FortiTester to crash or do something unintended. FortiTester versions prior to 4.2.0 allow remote attackers to inject special commands that cause FortiTester to crash or do something unintended

Description of the vulnerability

FortiTester versions prior to 4.2.0 do not properly neutralize special characters on the command line (e.g. spaces, ' ', etc.). This may be exploited by an unauthenticated remote attacker to inject a special command that may cause FortiTester to crash or do something unintended. FortiTester versions prior to 4.2.0 allow remote attackers to inject special commands that cause FortiTester to crash or do something unintended.

Summary

This vulnerability may be leveraged by threat actors to inject special commands that may cause denial of service (DoS) or possibly execute arbitrary commands. FortiTester versions prior to 4.2.0 do not properly neutralize special characters on the command line (e.g. spaces, ' ', etc.). This may be exploited by an unauthenticated remote attacker to inject a special command that may cause FortiTester to crash or do something unintended. FortiTester versions prior to 4.2.0 allow remote attackers to inject special commands that cause FortiTester to crash or do something unintended. FortiTester versions prior to 4.2.0 do not properly neutralize special characters on the command line (e.g. spaces, ' ', etc.). This may be exploited by an unauthenticated remote attacker to inject a special command that may cause FortiTester to crash or do something unintended. FortiTester versions prior to 4.2.0 allow remote attackers to inject special commands that cause FortiTester to crash or do something unintended

Timeline

Published on: 10/18/2022 15:15:00 UTC
Last modified on: 10/21/2022 12:59:00 UTC

References

• https://fortiguard.com/psirt/FG-IR-22-237
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-33874