Details of VAR-202112-0746

ID

VAR-202112-0746

CVE

CVE-2021-42759

TITLE

Fortinet Meru AP In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-016140

DESCRIPTION

A violation of secure design principles in Fortinet Meru AP version 8.6.1 and below, version 8.5.5 and below allows attacker to execute unauthorized code or commands via crafted cli commands. Fortinet Meru AP for, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet Meru Ap is a wireless access point of Fortinet, Inc. of the United States. Fortinet Meru AP has a code injection vulnerability in 8.6.1 and 8.5.5 and below. The vulnerability stems from the failure of the network system or product to properly filter special elements in the process of constructing code segments with external input data

Trust: 2.16

sources: NVD: CVE-2021-42759 // JVNDB: JVNDB-2021-016140 // CNVD: CNVD-2021-99762

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-99762

AFFECTED PRODUCTS

vendor:	fortinet	model:	meru	scope:	gte	version:	8.5.0	Trust: 1.0
vendor:	fortinet	model:	meru	scope:	lt	version:	8.6.2	Trust: 1.0
vendor:	fortinet	model:	meru	scope:	gte	version:	8.6.0	Trust: 1.0
vendor:	fortinet	model:	meru	scope:	lte	version:	8.5.5	Trust: 1.0
vendor:	フォーティネット	model:	meru ap	scope:	lte	version:	meru ap firmware 8.6.1 and earlier	Trust: 0.8
vendor:	フォーティネット	model:	meru ap	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	meru ap	scope:	lte	version:	meru ap firmware 8.5.5 and earlier	Trust: 0.8
vendor:	fortinet	model:	meru ap	scope:	lte	version:	<=8.5.5	Trust: 0.6
vendor:	fortinet	model:	meru ap	scope:	lte	version:	<=8.6.1	Trust: 0.6

sources: CNVD: CNVD-2021-99762 // JVNDB: JVNDB-2021-016140 // NVD: CVE-2021-42759

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-42759
value:	MEDIUM
Trust: 1.0
psirt@fortinet.com:	CVE-2021-42759
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-42759
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2021-99762
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202112-743
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2021-42759
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2021-99762
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-42759
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.8
impactScore:	5.9
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2021-016140
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-99762 // JVNDB: JVNDB-2021-016140 // CNNVD: CNNVD-202112-743 // NVD: CVE-2021-42759 // NVD: CVE-2021-42759

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	OS Command injection (CWE-78) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-016140 // NVD: CVE-2021-42759

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202112-743

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202112-743

PATCH

title:	FG-IR-21-004	url:	https://www.fortiguard.com/psirt/FG-IR-21-004	Trust: 0.8
title:	Patch for Fortinet Meru AP code injection vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/304686	Trust: 0.6
title:	Fortinet Meru AP Fixes for operating system command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=174235	Trust: 0.6

sources: CNVD: CNVD-2021-99762 // JVNDB: JVNDB-2021-016140 // CNNVD: CNNVD-202112-743

EXTERNAL IDS

db:	NVD	id:	CVE-2021-42759	Trust: 3.8
db:	JVNDB	id:	JVNDB-2021-016140	Trust: 0.8
db:	CNVD	id:	CNVD-2021-99762	Trust: 0.6
db:	CNNVD	id:	CNNVD-202112-743	Trust: 0.6

sources: CNVD: CNVD-2021-99762 // JVNDB: JVNDB-2021-016140 // CNNVD: CNNVD-202112-743 // NVD: CVE-2021-42759

REFERENCES

url:	https://fortiguard.com/advisory/fg-ir-21-004	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-42759	Trust: 1.4

sources: CNVD: CNVD-2021-99762 // JVNDB: JVNDB-2021-016140 // CNNVD: CNNVD-202112-743 // NVD: CVE-2021-42759

SOURCES

db:	CNVD	id:	CNVD-2021-99762
db:	JVNDB	id:	JVNDB-2021-016140
db:	CNNVD	id:	CNNVD-202112-743
db:	NVD	id:	CVE-2021-42759

LAST UPDATE DATE

2024-11-23T22:50:58.955000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-99762	date:	2021-12-14T00:00:00
db:	JVNDB	id:	JVNDB-2021-016140	date:	2022-12-07T05:58:00
db:	CNNVD	id:	CNNVD-202112-743	date:	2021-12-14T00:00:00
db:	NVD	id:	CVE-2021-42759	date:	2024-11-21T06:28:06.913

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-99762	date:	2021-12-14T00:00:00
db:	JVNDB	id:	JVNDB-2021-016140	date:	2022-12-07T00:00:00
db:	CNNVD	id:	CNNVD-202112-743	date:	2021-12-09T00:00:00
db:	NVD	id:	CVE-2021-42759	date:	2021-12-09T10:15:11.787