CVE-2022-42472

A improper neutralization of crlf sequences in http headers ('http response splitting') in Fortinet FortiOS versions 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.11, 6.2.0 through 6.2.12, 6.0.0 through 6.0.16, FortiProxy 7.2.0 through 7.2.1, 7.0.0 through 7.0.7, 2.0.0 through 2.0.10, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6 may allow an authenticated and remote attacker to perform an HTTP request splitting attack which gives attackers control of the remaining headers and body of the response.

Published: Feb 16, 2023
Updated: Apr 14, 2023
CVE: CVE-2022-42472
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWEs:

Affected Software
References

Software	From	Fixed in
fortinet / fortiproxy	1.1.0	1.1.6.x
fortinet / fortiproxy	1.2.0	1.2.13.x
fortinet / fortiproxy	7.2.0	7.2.0.x
fortinet / fortiproxy	2.0.0	2.0.10.x
fortinet / fortiproxy	7.0.0	7.0.7.x
fortinet / fortiproxy	7.2.1	7.2.1.x
fortinet / fortios	7.2.0	7.2.0.x
fortinet / fortios	6.2.0	6.2.12.x
fortinet / fortios	7.2.1	7.2.1.x
fortinet / fortios	7.0.0	7.0.8.x
fortinet / fortios	6.4.0	6.4.11.x
fortinet / fortios	7.2.2	7.2.2.x
fortinet / fortios	6.0.1	6.0.16.x

https://fortiguard.com/psirt/FG-IR-22-362

Vulnerability Database

289,784

CVE-2022-42472