Vulnerabilites related to Bitdefender - Endpoint Security for Linux
cve-2024-2224
Vulnerability from cvelistv5
Published
2024-04-09 13:01
Modified
2024-08-01 19:03
Severity ?
EPSS score ?
Summary
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects the following products that include the vulnerable component:
Bitdefender Endpoint Security for Linux version 7.0.5.200089
Bitdefender Endpoint Security for Windows version 7.9.9.380
GravityZone Control Center (On Premises) version 6.36.1
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Bitdefender | GravityZone Control Center (On Premises) |
Version: 6.36.1 |
|||||||||||
|
||||||||||||||
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:bitdefender:gravityzone:6.36.1:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "gravityzone", vendor: "bitdefender", versions: [ { status: "affected", version: "6.36.1", }, ], }, { cpes: [ "cpe:2.3:a:bitdefender:endpoint_security_for_windows:7.9.9.380:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "endpoint_security_for_windows", vendor: "bitdefender", versions: [ { status: "affected", version: "7.9.9.380", }, ], }, { cpes: [ "cpe:2.3:a:bitdefender:endpoint_security_for_linux:70.5.200089:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "endpoint_security_for_linux", vendor: "bitdefender", versions: [ { status: "affected", version: "70.5.200089", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-2224", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-04-09T14:18:06.302656Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-06T18:37:44.171Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T19:03:39.266Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.bitdefender.com/support/security-advisories/privilege-escalation-via-the-gravityzone-productmanager-updateserver-kitsmanager-api-va-11466/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "GravityZone Control Center (On Premises)", vendor: "Bitdefender", versions: [ { status: "affected", version: "6.36.1", }, ], }, { defaultStatus: "unaffected", product: "Endpoint Security for Windows", vendor: "Bitdefender", versions: [ { status: "affected", version: "7.9.9.380", }, ], }, { defaultStatus: "unaffected", product: "Endpoint Security for Linux", vendor: "Bitdefender", versions: [ { status: "affected", version: "7.0.5.200089", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Nicolas VERDIER -- n1nj4sec", }, ], datePublic: "2024-03-11T10:00:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<span style=\"background-color: rgb(255, 255, 255);\">Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects the following products that include the vulnerable component: <br><br>Bitdefender Endpoint Security for Linux version 7.0.5.200089<br>Bitdefender Endpoint Security for Windows version 7.9.9.380<br>GravityZone Control Center (On Premises) version 6.36.1</span><br>", }, ], value: "Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects the following products that include the vulnerable component: \n\nBitdefender Endpoint Security for Linux version 7.0.5.200089\nBitdefender Endpoint Security for Windows version 7.9.9.380\nGravityZone Control Center (On Premises) version 6.36.1\n", }, ], impacts: [ { capecId: "CAPEC-21", descriptions: [ { lang: "en", value: "CAPEC-21: Leveraging/Manipulating Configuration File Search Paths", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-04-09T13:01:47.416Z", orgId: "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", shortName: "Bitdefender", }, references: [ { url: "https://www.bitdefender.com/support/security-advisories/privilege-escalation-via-the-gravityzone-productmanager-updateserver-kitsmanager-api-va-11466/", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "An automatic update to the following versions fixes the issues:<br><br>Bitdefender Endpoint Security for Linux version 7.0.5.200090<br>Bitdefender Endpoint Security for Windows version 7.9.9.381<br>GravityZone Control Center (On Premises) version 6.36.1-1<br>", }, ], value: "An automatic update to the following versions fixes the issues:\n\nBitdefender Endpoint Security for Linux version 7.0.5.200090\nBitdefender Endpoint Security for Windows version 7.9.9.381\nGravityZone Control Center (On Premises) version 6.36.1-1\n", }, ], source: { discovery: "EXTERNAL", }, title: "Privilege Escalation via the GravityZone productManager UpdateServer.KitsManager API (VA-11466)", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", assignerShortName: "Bitdefender", cveId: "CVE-2024-2224", datePublished: "2024-04-09T13:01:47.416Z", dateReserved: "2024-03-06T14:44:03.507Z", dateUpdated: "2024-08-01T19:03:39.266Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-2223
Vulnerability from cvelistv5
Published
2024-04-09 13:01
Modified
2024-08-12 17:59
Severity ?
EPSS score ?
Summary
An Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request Forgery and reconfigure the relay. This issue affects the following products that include the vulnerable component:
Bitdefender Endpoint Security for Linux version 7.0.5.200089
Bitdefender Endpoint Security for Windows version 7.9.9.380
GravityZone Control Center (On Premises) version 6.36.1
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Bitdefender | GravityZone Control Center (On Premises) |
Version: 6.36.1 |
|||||||||||
|
||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T19:03:39.042Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.bitdefender.com/support/security-advisories/incorrect-regular-expression-in-gravityzone-update-server-va-11465/", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:bitdefender:gravityzone:6.36.1:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "gravityzone", vendor: "bitdefender", versions: [ { status: "affected", version: "6.36.1", }, ], }, { cpes: [ "cpe:2.3:a:bitdefender:endpoint_security_for_windows:7.9.9.380:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "endpoint_security_for_windows", vendor: "bitdefender", versions: [ { status: "affected", version: "7.9.9.380", }, ], }, { cpes: [ "cpe:2.3:a:bitdefender:endpoint_security_for_linux:7.0.5.200089:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "endpoint_security_for_linux", vendor: "bitdefender", versions: [ { status: "affected", version: "7.0.5.200089", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-2223", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-08-12T15:13:14.948905Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-12T17:59:36.379Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "affected", product: "GravityZone Control Center (On Premises)", vendor: "Bitdefender", versions: [ { status: "affected", version: "6.36.1", }, ], }, { defaultStatus: "unaffected", product: "Endpoint Security for Windows", vendor: "Bitdefender", versions: [ { status: "affected", version: "7.9.9.380", }, ], }, { defaultStatus: "unaffected", product: "Endpoint Security for Linux", vendor: "Bitdefender", versions: [ { status: "affected", version: "7.0.5.200089", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Nicolas VERDIER -- n1nj4sec", }, ], datePublic: "2024-04-09T09:00:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<span style=\"background-color: rgb(255, 255, 255);\">An Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request Forgery and reconfigure the relay. This issue affects the following products that include the vulnerable component: <br><br>Bitdefender Endpoint Security for Linux version 7.0.5.200089<br>Bitdefender Endpoint Security for Windows version 7.9.9.380<br>GravityZone Control Center (On Premises) version 6.36.1<br></span>", }, ], value: "An Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request Forgery and reconfigure the relay. This issue affects the following products that include the vulnerable component: \n\nBitdefender Endpoint Security for Linux version 7.0.5.200089\nBitdefender Endpoint Security for Windows version 7.9.9.380\nGravityZone Control Center (On Premises) version 6.36.1\n", }, ], impacts: [ { capecId: "CAPEC-664", descriptions: [ { lang: "en", value: "CAPEC-664: Server Side Request Forgery", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-185", description: "CWE-185: Incorrect Regular Expression", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-04-09T13:01:34.716Z", orgId: "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", shortName: "Bitdefender", }, references: [ { url: "https://www.bitdefender.com/support/security-advisories/incorrect-regular-expression-in-gravityzone-update-server-va-11465/", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "An automatic update to the following versions fixes the issues:<br><br>Bitdefender Endpoint Security for Linux version 7.0.5.200090<br>Bitdefender Endpoint Security for Windows version 7.9.9.381<br>GravityZone Control Center (On Premises) version 6.36.1-1<br>", }, ], value: "An automatic update to the following versions fixes the issues:\n\nBitdefender Endpoint Security for Linux version 7.0.5.200090\nBitdefender Endpoint Security for Windows version 7.9.9.381\nGravityZone Control Center (On Premises) version 6.36.1-1\n", }, ], source: { discovery: "EXTERNAL", }, title: " Incorrect Regular Expression in GravityZone Update Server (VA-11465)", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", assignerShortName: "Bitdefender", cveId: "CVE-2024-2223", datePublished: "2024-04-09T13:01:34.716Z", dateReserved: "2024-03-06T14:44:01.368Z", dateUpdated: "2024-08-12T17:59:36.379Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }