Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities found for Endpoint Security for Windows by Bitdefender
CVE-2024-2224 (GCVE-0-2024-2224)
Vulnerability from cvelistv5 – Published: 2024-04-09 13:01 – Updated: 2024-08-01 19:03
VLAI
Title
Privilege Escalation via the GravityZone productManager UpdateServer.KitsManager API (VA-11466)
Summary
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects the following products that include the vulnerable component:
Bitdefender Endpoint Security for Linux version 7.0.5.200089
Bitdefender Endpoint Security for Windows version 7.9.9.380
GravityZone Control Center (On Premises) version 6.36.1
Severity
8.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Bitdefender | GravityZone Control Center (On Premises) |
Affected:
6.36.1
|
|
| Bitdefender | Endpoint Security for Windows |
Affected:
7.9.9.380
|
|
| Bitdefender | Endpoint Security for Linux |
Affected:
7.0.5.200089
|
|
| bitdefender | gravityzone |
Affected:
6.36.1
cpe:2.3:a:bitdefender:gravityzone:6.36.1:*:*:*:*:*:*:* |
|
| bitdefender | endpoint_security_for_windows |
Affected:
7.9.9.380
cpe:2.3:a:bitdefender:endpoint_security_for_windows:7.9.9.380:*:*:*:*:*:*:* |
|
| bitdefender | endpoint_security_for_linux |
Affected:
70.5.200089
cpe:2.3:a:bitdefender:endpoint_security_for_linux:70.5.200089:*:*:*:*:*:*:* |
Date Public
2024-03-11 10:00
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:bitdefender:gravityzone:6.36.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "gravityzone",
"vendor": "bitdefender",
"versions": [
{
"status": "affected",
"version": "6.36.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:bitdefender:endpoint_security_for_windows:7.9.9.380:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "endpoint_security_for_windows",
"vendor": "bitdefender",
"versions": [
{
"status": "affected",
"version": "7.9.9.380"
}
]
},
{
"cpes": [
"cpe:2.3:a:bitdefender:endpoint_security_for_linux:70.5.200089:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "endpoint_security_for_linux",
"vendor": "bitdefender",
"versions": [
{
"status": "affected",
"version": "70.5.200089"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2224",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-09T14:18:06.302656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T18:37:44.171Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:39.266Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.bitdefender.com/support/security-advisories/privilege-escalation-via-the-gravityzone-productmanager-updateserver-kitsmanager-api-va-11466/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "GravityZone Control Center (On Premises)",
"vendor": "Bitdefender",
"versions": [
{
"status": "affected",
"version": "6.36.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Endpoint Security for Windows",
"vendor": "Bitdefender",
"versions": [
{
"status": "affected",
"version": "7.9.9.380"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Endpoint Security for Linux",
"vendor": "Bitdefender",
"versions": [
{
"status": "affected",
"version": "7.0.5.200089"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nicolas VERDIER -- n1nj4sec"
}
],
"datePublic": "2024-03-11T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eImproper Limitation of a Pathname to a Restricted Directory (\u2018Path Traversal\u2019) vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects the following products that include the vulnerable component: \u003cbr\u003e\u003cbr\u003eBitdefender Endpoint Security for Linux version 7.0.5.200089\u003cbr\u003eBitdefender Endpoint Security for Windows version 7.9.9.380\u003cbr\u003eGravityZone Control Center (On Premises) version 6.36.1\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u2018Path Traversal\u2019) vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects the following products that include the vulnerable component: \n\nBitdefender Endpoint Security for Linux version 7.0.5.200089\nBitdefender Endpoint Security for Windows version 7.9.9.380\nGravityZone Control Center (On Premises) version 6.36.1\n"
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21: Leveraging/Manipulating Configuration File Search Paths"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-09T13:01:47.416Z",
"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"shortName": "Bitdefender"
},
"references": [
{
"url": "https://www.bitdefender.com/support/security-advisories/privilege-escalation-via-the-gravityzone-productmanager-updateserver-kitsmanager-api-va-11466/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An automatic update to the following versions fixes the issues:\u003cbr\u003e\u003cbr\u003eBitdefender Endpoint Security for Linux version 7.0.5.200090\u003cbr\u003eBitdefender Endpoint Security for Windows version 7.9.9.381\u003cbr\u003eGravityZone Control Center (On Premises) version 6.36.1-1\u003cbr\u003e"
}
],
"value": "An automatic update to the following versions fixes the issues:\n\nBitdefender Endpoint Security for Linux version 7.0.5.200090\nBitdefender Endpoint Security for Windows version 7.9.9.381\nGravityZone Control Center (On Premises) version 6.36.1-1\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Privilege Escalation via the GravityZone productManager UpdateServer.KitsManager API (VA-11466)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"assignerShortName": "Bitdefender",
"cveId": "CVE-2024-2224",
"datePublished": "2024-04-09T13:01:47.416Z",
"dateReserved": "2024-03-06T14:44:03.507Z",
"dateUpdated": "2024-08-01T19:03:39.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2223 (GCVE-0-2024-2223)
Vulnerability from cvelistv5 – Published: 2024-04-09 13:01 – Updated: 2024-08-12 17:59
VLAI
Title
Incorrect Regular Expression in GravityZone Update Server (VA-11465)
Summary
An Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request Forgery and reconfigure the relay. This issue affects the following products that include the vulnerable component:
Bitdefender Endpoint Security for Linux version 7.0.5.200089
Bitdefender Endpoint Security for Windows version 7.9.9.380
GravityZone Control Center (On Premises) version 6.36.1
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-185 - Incorrect Regular Expression
Assigner
References
1 reference
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Bitdefender | GravityZone Control Center (On Premises) |
Affected:
6.36.1
|
|
| Bitdefender | Endpoint Security for Windows |
Affected:
7.9.9.380
|
|
| Bitdefender | Endpoint Security for Linux |
Affected:
7.0.5.200089
|
|
| bitdefender | gravityzone |
Affected:
6.36.1
cpe:2.3:a:bitdefender:gravityzone:6.36.1:*:*:*:*:*:*:* |
|
| bitdefender | endpoint_security_for_windows |
Affected:
7.9.9.380
cpe:2.3:a:bitdefender:endpoint_security_for_windows:7.9.9.380:*:*:*:*:*:*:* |
|
| bitdefender | endpoint_security_for_linux |
Affected:
7.0.5.200089
cpe:2.3:a:bitdefender:endpoint_security_for_linux:7.0.5.200089:*:*:*:*:*:*:* |
Date Public
2024-04-09 09:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:39.042Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.bitdefender.com/support/security-advisories/incorrect-regular-expression-in-gravityzone-update-server-va-11465/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:bitdefender:gravityzone:6.36.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "gravityzone",
"vendor": "bitdefender",
"versions": [
{
"status": "affected",
"version": "6.36.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:bitdefender:endpoint_security_for_windows:7.9.9.380:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "endpoint_security_for_windows",
"vendor": "bitdefender",
"versions": [
{
"status": "affected",
"version": "7.9.9.380"
}
]
},
{
"cpes": [
"cpe:2.3:a:bitdefender:endpoint_security_for_linux:7.0.5.200089:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "endpoint_security_for_linux",
"vendor": "bitdefender",
"versions": [
{
"status": "affected",
"version": "7.0.5.200089"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2223",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T15:13:14.948905Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T17:59:36.379Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "GravityZone Control Center (On Premises)",
"vendor": "Bitdefender",
"versions": [
{
"status": "affected",
"version": "6.36.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Endpoint Security for Windows",
"vendor": "Bitdefender",
"versions": [
{
"status": "affected",
"version": "7.9.9.380"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Endpoint Security for Linux",
"vendor": "Bitdefender",
"versions": [
{
"status": "affected",
"version": "7.0.5.200089"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nicolas VERDIER -- n1nj4sec"
}
],
"datePublic": "2024-04-09T09:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request Forgery and reconfigure the relay. This issue affects the following products that include the vulnerable component:\u0026nbsp;\u003cbr\u003e\u003cbr\u003eBitdefender Endpoint Security for Linux version 7.0.5.200089\u003cbr\u003eBitdefender Endpoint Security for\u0026nbsp; Windows version 7.9.9.380\u003cbr\u003eGravityZone Control Center (On Premises) version 6.36.1\u003cbr\u003e\u003c/span\u003e"
}
],
"value": "An Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request Forgery and reconfigure the relay. This issue affects the following products that include the vulnerable component:\u00a0\n\nBitdefender Endpoint Security for Linux version 7.0.5.200089\nBitdefender Endpoint Security for\u00a0 Windows version 7.9.9.380\nGravityZone Control Center (On Premises) version 6.36.1\n"
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664: Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-185",
"description": "CWE-185: Incorrect Regular Expression",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-09T13:01:34.716Z",
"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"shortName": "Bitdefender"
},
"references": [
{
"url": "https://www.bitdefender.com/support/security-advisories/incorrect-regular-expression-in-gravityzone-update-server-va-11465/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An automatic update to the following versions fixes the issues:\u003cbr\u003e\u003cbr\u003eBitdefender Endpoint Security for Linux version 7.0.5.200090\u003cbr\u003eBitdefender Endpoint Security for Windows version 7.9.9.381\u003cbr\u003eGravityZone Control Center (On Premises) version 6.36.1-1\u003cbr\u003e"
}
],
"value": "An automatic update to the following versions fixes the issues:\n\nBitdefender Endpoint Security for Linux version 7.0.5.200090\nBitdefender Endpoint Security for Windows version 7.9.9.381\nGravityZone Control Center (On Premises) version 6.36.1-1\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": " Incorrect Regular Expression in GravityZone Update Server (VA-11465)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"assignerShortName": "Bitdefender",
"cveId": "CVE-2024-2223",
"datePublished": "2024-04-09T13:01:34.716Z",
"dateReserved": "2024-03-06T14:44:01.368Z",
"dateUpdated": "2024-08-12T17:59:36.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2224 (GCVE-0-2024-2224)
Vulnerability from nvd – Published: 2024-04-09 13:01 – Updated: 2024-08-01 19:03
VLAI
Title
Privilege Escalation via the GravityZone productManager UpdateServer.KitsManager API (VA-11466)
Summary
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects the following products that include the vulnerable component:
Bitdefender Endpoint Security for Linux version 7.0.5.200089
Bitdefender Endpoint Security for Windows version 7.9.9.380
GravityZone Control Center (On Premises) version 6.36.1
Severity
8.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Bitdefender | GravityZone Control Center (On Premises) |
Affected:
6.36.1
|
|
| Bitdefender | Endpoint Security for Windows |
Affected:
7.9.9.380
|
|
| Bitdefender | Endpoint Security for Linux |
Affected:
7.0.5.200089
|
|
| bitdefender | gravityzone |
Affected:
6.36.1
cpe:2.3:a:bitdefender:gravityzone:6.36.1:*:*:*:*:*:*:* |
|
| bitdefender | endpoint_security_for_windows |
Affected:
7.9.9.380
cpe:2.3:a:bitdefender:endpoint_security_for_windows:7.9.9.380:*:*:*:*:*:*:* |
|
| bitdefender | endpoint_security_for_linux |
Affected:
70.5.200089
cpe:2.3:a:bitdefender:endpoint_security_for_linux:70.5.200089:*:*:*:*:*:*:* |
Date Public
2024-03-11 10:00
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:bitdefender:gravityzone:6.36.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "gravityzone",
"vendor": "bitdefender",
"versions": [
{
"status": "affected",
"version": "6.36.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:bitdefender:endpoint_security_for_windows:7.9.9.380:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "endpoint_security_for_windows",
"vendor": "bitdefender",
"versions": [
{
"status": "affected",
"version": "7.9.9.380"
}
]
},
{
"cpes": [
"cpe:2.3:a:bitdefender:endpoint_security_for_linux:70.5.200089:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "endpoint_security_for_linux",
"vendor": "bitdefender",
"versions": [
{
"status": "affected",
"version": "70.5.200089"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2224",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-09T14:18:06.302656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T18:37:44.171Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:39.266Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.bitdefender.com/support/security-advisories/privilege-escalation-via-the-gravityzone-productmanager-updateserver-kitsmanager-api-va-11466/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "GravityZone Control Center (On Premises)",
"vendor": "Bitdefender",
"versions": [
{
"status": "affected",
"version": "6.36.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Endpoint Security for Windows",
"vendor": "Bitdefender",
"versions": [
{
"status": "affected",
"version": "7.9.9.380"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Endpoint Security for Linux",
"vendor": "Bitdefender",
"versions": [
{
"status": "affected",
"version": "7.0.5.200089"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nicolas VERDIER -- n1nj4sec"
}
],
"datePublic": "2024-03-11T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eImproper Limitation of a Pathname to a Restricted Directory (\u2018Path Traversal\u2019) vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects the following products that include the vulnerable component: \u003cbr\u003e\u003cbr\u003eBitdefender Endpoint Security for Linux version 7.0.5.200089\u003cbr\u003eBitdefender Endpoint Security for Windows version 7.9.9.380\u003cbr\u003eGravityZone Control Center (On Premises) version 6.36.1\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u2018Path Traversal\u2019) vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects the following products that include the vulnerable component: \n\nBitdefender Endpoint Security for Linux version 7.0.5.200089\nBitdefender Endpoint Security for Windows version 7.9.9.380\nGravityZone Control Center (On Premises) version 6.36.1\n"
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21: Leveraging/Manipulating Configuration File Search Paths"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-09T13:01:47.416Z",
"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"shortName": "Bitdefender"
},
"references": [
{
"url": "https://www.bitdefender.com/support/security-advisories/privilege-escalation-via-the-gravityzone-productmanager-updateserver-kitsmanager-api-va-11466/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An automatic update to the following versions fixes the issues:\u003cbr\u003e\u003cbr\u003eBitdefender Endpoint Security for Linux version 7.0.5.200090\u003cbr\u003eBitdefender Endpoint Security for Windows version 7.9.9.381\u003cbr\u003eGravityZone Control Center (On Premises) version 6.36.1-1\u003cbr\u003e"
}
],
"value": "An automatic update to the following versions fixes the issues:\n\nBitdefender Endpoint Security for Linux version 7.0.5.200090\nBitdefender Endpoint Security for Windows version 7.9.9.381\nGravityZone Control Center (On Premises) version 6.36.1-1\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Privilege Escalation via the GravityZone productManager UpdateServer.KitsManager API (VA-11466)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"assignerShortName": "Bitdefender",
"cveId": "CVE-2024-2224",
"datePublished": "2024-04-09T13:01:47.416Z",
"dateReserved": "2024-03-06T14:44:03.507Z",
"dateUpdated": "2024-08-01T19:03:39.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2223 (GCVE-0-2024-2223)
Vulnerability from nvd – Published: 2024-04-09 13:01 – Updated: 2024-08-12 17:59
VLAI
Title
Incorrect Regular Expression in GravityZone Update Server (VA-11465)
Summary
An Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request Forgery and reconfigure the relay. This issue affects the following products that include the vulnerable component:
Bitdefender Endpoint Security for Linux version 7.0.5.200089
Bitdefender Endpoint Security for Windows version 7.9.9.380
GravityZone Control Center (On Premises) version 6.36.1
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-185 - Incorrect Regular Expression
Assigner
References
1 reference
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Bitdefender | GravityZone Control Center (On Premises) |
Affected:
6.36.1
|
|
| Bitdefender | Endpoint Security for Windows |
Affected:
7.9.9.380
|
|
| Bitdefender | Endpoint Security for Linux |
Affected:
7.0.5.200089
|
|
| bitdefender | gravityzone |
Affected:
6.36.1
cpe:2.3:a:bitdefender:gravityzone:6.36.1:*:*:*:*:*:*:* |
|
| bitdefender | endpoint_security_for_windows |
Affected:
7.9.9.380
cpe:2.3:a:bitdefender:endpoint_security_for_windows:7.9.9.380:*:*:*:*:*:*:* |
|
| bitdefender | endpoint_security_for_linux |
Affected:
7.0.5.200089
cpe:2.3:a:bitdefender:endpoint_security_for_linux:7.0.5.200089:*:*:*:*:*:*:* |
Date Public
2024-04-09 09:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:39.042Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.bitdefender.com/support/security-advisories/incorrect-regular-expression-in-gravityzone-update-server-va-11465/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:bitdefender:gravityzone:6.36.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "gravityzone",
"vendor": "bitdefender",
"versions": [
{
"status": "affected",
"version": "6.36.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:bitdefender:endpoint_security_for_windows:7.9.9.380:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "endpoint_security_for_windows",
"vendor": "bitdefender",
"versions": [
{
"status": "affected",
"version": "7.9.9.380"
}
]
},
{
"cpes": [
"cpe:2.3:a:bitdefender:endpoint_security_for_linux:7.0.5.200089:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "endpoint_security_for_linux",
"vendor": "bitdefender",
"versions": [
{
"status": "affected",
"version": "7.0.5.200089"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2223",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T15:13:14.948905Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T17:59:36.379Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "GravityZone Control Center (On Premises)",
"vendor": "Bitdefender",
"versions": [
{
"status": "affected",
"version": "6.36.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Endpoint Security for Windows",
"vendor": "Bitdefender",
"versions": [
{
"status": "affected",
"version": "7.9.9.380"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Endpoint Security for Linux",
"vendor": "Bitdefender",
"versions": [
{
"status": "affected",
"version": "7.0.5.200089"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nicolas VERDIER -- n1nj4sec"
}
],
"datePublic": "2024-04-09T09:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request Forgery and reconfigure the relay. This issue affects the following products that include the vulnerable component:\u0026nbsp;\u003cbr\u003e\u003cbr\u003eBitdefender Endpoint Security for Linux version 7.0.5.200089\u003cbr\u003eBitdefender Endpoint Security for\u0026nbsp; Windows version 7.9.9.380\u003cbr\u003eGravityZone Control Center (On Premises) version 6.36.1\u003cbr\u003e\u003c/span\u003e"
}
],
"value": "An Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request Forgery and reconfigure the relay. This issue affects the following products that include the vulnerable component:\u00a0\n\nBitdefender Endpoint Security for Linux version 7.0.5.200089\nBitdefender Endpoint Security for\u00a0 Windows version 7.9.9.380\nGravityZone Control Center (On Premises) version 6.36.1\n"
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664: Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-185",
"description": "CWE-185: Incorrect Regular Expression",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-09T13:01:34.716Z",
"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"shortName": "Bitdefender"
},
"references": [
{
"url": "https://www.bitdefender.com/support/security-advisories/incorrect-regular-expression-in-gravityzone-update-server-va-11465/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An automatic update to the following versions fixes the issues:\u003cbr\u003e\u003cbr\u003eBitdefender Endpoint Security for Linux version 7.0.5.200090\u003cbr\u003eBitdefender Endpoint Security for Windows version 7.9.9.381\u003cbr\u003eGravityZone Control Center (On Premises) version 6.36.1-1\u003cbr\u003e"
}
],
"value": "An automatic update to the following versions fixes the issues:\n\nBitdefender Endpoint Security for Linux version 7.0.5.200090\nBitdefender Endpoint Security for Windows version 7.9.9.381\nGravityZone Control Center (On Premises) version 6.36.1-1\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": " Incorrect Regular Expression in GravityZone Update Server (VA-11465)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"assignerShortName": "Bitdefender",
"cveId": "CVE-2024-2223",
"datePublished": "2024-04-09T13:01:34.716Z",
"dateReserved": "2024-03-06T14:44:01.368Z",
"dateUpdated": "2024-08-12T17:59:36.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}