=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN412
_____________________________________________________________________

DATE                : 19/08/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running FortiWeb versions prior to 6.3.15,
                                     6.4.1, 6.2.5.

=====================================================================
https://fortiguard.com/psirt/FG-IR-21-116
_____________________________________________________________________

FortiWeb  - OS command injection vulnerability

IR Number    : FG-IR-21-116
Date         : Aug 18, 2021
Risk         : 4/5
CVSSv3 Score : 7.6
Impact       : Execute unauthorized code or commands
CVE ID       : CVE-2021-22123


Summary

An OS command injection vulnerability in FortiWeb's management interface
may allow a remote authenticated administrator to execute arbitrary
commands on the system via the SAML server configuration page.


Impact

Execute unauthorized code or commands


Affected Products

FortiWeb version 6.4.0 and below.

FortiWeb version 6.3.14 and below.

FortiWeb version 6.2.4 and below.


Solutions

Upgrade to upcoming FortiWeb 6.3.15 or above.

Upgrade to upcoming FortiWeb 6.4.1 or above.

Upgrade to upcoming FortiWeb 6.2.5 or above.


Workaround: Disable access to the management interface from untrusted
networks, and use the Trusted Hosts feature to restrict access to
trusted IP addresses for the admin users.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================