CVE-2022-42472: 
FortiOS vulnerability analysis and mitigation

An improper neutralization of CRLF sequences in HTTP headers vulnerability (HTTP Response Splitting) was discovered in Fortinet FortiOS and FortiProxy products. The vulnerability, identified as CVE-2022-42472, was internally discovered by Gwendal Guégniaud of Fortinet Product Security team and publicly disclosed on February 16, 2023. The affected products include FortiOS versions 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.11, 6.2.0 through 6.2.12, 6.0.0 through 6.0.16, and FortiProxy versions 7.2.0 through 7.2.1, 7.0.0 through 7.0.7, 2.0.0 through 2.0.10, 1.2.0 through 1.2.13, and 1.1.0 through 1.1.6 (Fortiguard PSIRT).

The vulnerability is classified as an improper neutralization of CRLF sequences in HTTP headers (CWE-113). It has been assigned a Medium severity rating with a CVSS v3 score of 4.0. The vulnerability specifically affects the GUI component of the affected Fortinet products (Fortiguard PSIRT).

When exploited, this vulnerability allows an authenticated and remote attacker to perform an HTTP request splitting attack, potentially gaining control of the remaining headers and body of the response. This could lead to the execution of unauthorized code or commands (Fortiguard PSIRT, CVE Mitre).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to FortiProxy version 7.2.2 or above, 7.0.8 or above, 2.0.11 or above, and FortiOS version 7.2.3 or above, 7.0.9 or above, or 6.4.13 or above (Fortiguard PSIRT).