CVE-2022-42472
Severity CVSS v4.0:
Pending analysis
Type:
CWE-74
Injection
Publication date:
16/02/2023
Last modified:
07/11/2023
Description
A improper neutralization of crlf sequences in http headers ('http response splitting') in Fortinet FortiOS versions 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.11, 6.2.0 through 6.2.12, 6.0.0 through 6.0.16, FortiProxy 7.2.0 through 7.2.1, 7.0.0 through 7.0.7, 2.0.0 through 2.0.10, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6 may allow an authenticated and remote attacker to perform an HTTP request splitting attack which gives attackers control of the remaining headers and body of the response.
Impact
Base Score 3.x
5.40
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* | 1.1.0 (including) | 1.1.6 (including) |
| cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* | 1.2.0 (including) | 1.2.13 (including) |
| cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* | 2.0.0 (including) | 2.0.10 (including) |
| cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* | 7.0.0 (including) | 7.0.7 (including) |
| cpe:2.3:a:fortinet:fortiproxy:7.2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fortinet:fortiproxy:7.2.1:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* | 6.0.1 (including) | 6.0.16 (including) |
| cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* | 6.2.0 (including) | 6.2.12 (including) |
| cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* | 6.4.0 (including) | 6.4.11 (including) |
| cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* | 7.0.0 (including) | 7.0.8 (including) |
| cpe:2.3:o:fortinet:fortios:7.2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fortinet:fortios:7.2.1:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fortinet:fortios:7.2.2:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page