Vulnerabilites related to Bitdefender - GravityZone
CVE-2021-3959 (GCVE-0-2021-3959)
Vulnerability from cvelistv5
Published
2021-12-16 14:35
Modified
2024-09-17 01:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService component of Bitdefender Endpoint Security Tools allows an attacker to proxy requests to the relay server. This issue affects: Bitdefender Bitdefender GravityZone versions prior to 3.3.8.272
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Bitdefender | GravityZone |
Version: unspecified < 3.3.8.272 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.814Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.bitdefender.com/support/security-advisories/server-side-request-forgery-in-bitdefender-gravityzone-update-server-in-relay-mode-va-10145"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GravityZone",
"vendor": "Bitdefender",
"versions": [
{
"lessThan": "3.3.8.272",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Nicolas Verdier, independent security researcher"
}
],
"datePublic": "2021-12-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService component of Bitdefender Endpoint Security Tools allows an attacker to proxy requests to the relay server. This issue affects: Bitdefender Bitdefender GravityZone versions prior to 3.3.8.272"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-16T14:35:16",
"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"shortName": "Bitdefender"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.bitdefender.com/support/security-advisories/server-side-request-forgery-in-bitdefender-gravityzone-update-server-in-relay-mode-va-10145"
}
],
"solutions": [
{
"lang": "en",
"value": "An automatic update to version 3.3.8.272 fixes the issue."
}
],
"source": {
"defect": [
"VA-10145"
],
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery in Bitdefender GravityZone Update Server in Relay Mode (VA-10145)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-requests@bitdefender.com",
"DATE_PUBLIC": "2021-12-01T12:06:00.000Z",
"ID": "CVE-2021-3959",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery in Bitdefender GravityZone Update Server in Relay Mode (VA-10145)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GravityZone",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.3.8.272"
}
]
}
}
]
},
"vendor_name": "Bitdefender"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Nicolas Verdier, independent security researcher"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService component of Bitdefender Endpoint Security Tools allows an attacker to proxy requests to the relay server. This issue affects: Bitdefender Bitdefender GravityZone versions prior to 3.3.8.272"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.bitdefender.com/support/security-advisories/server-side-request-forgery-in-bitdefender-gravityzone-update-server-in-relay-mode-va-10145",
"refsource": "MISC",
"url": "https://www.bitdefender.com/support/security-advisories/server-side-request-forgery-in-bitdefender-gravityzone-update-server-in-relay-mode-va-10145"
}
]
},
"solution": [
{
"lang": "en",
"value": "An automatic update to version 3.3.8.272 fixes the issue."
}
],
"source": {
"defect": [
"VA-10145"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"assignerShortName": "Bitdefender",
"cveId": "CVE-2021-3959",
"datePublished": "2021-12-16T14:35:16.426143Z",
"dateReserved": "2021-11-15T00:00:00",
"dateUpdated": "2024-09-17T01:31:01.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3553 (GCVE-0-2021-3553)
Vulnerability from cvelistv5
Published
2021-11-24 14:45
Modified
2024-09-17 01:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService of Bitdefender Endpoint Security Tools allows an attacker to use the Endpoint Protection relay as a proxy for any remote host. This issue affects: Bitdefender Endpoint Security Tools versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender Unified Endpoint for Linux versions prior to 6.2.21.160. Bitdefender GravityZone versions prior to 6.24.1-1.
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | Bitdefender | Endpoint Security Tools |
Version: unspecified < 6.6.27.390 Version: unspecified < 7.1.2.33 |
|||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:08.054Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.bitdefender.com/support/security-advisories/server-side-request-forgery-eppupdateservice-remote-config-file-va-9825/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Endpoint Security Tools",
"vendor": "Bitdefender",
"versions": [
{
"lessThan": "6.6.27.390",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "7.1.2.33",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Unified Endpoint for Linux",
"vendor": "Bitdefender",
"versions": [
{
"lessThan": "6.2.21.160",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "GravityZone",
"vendor": "Bitdefender",
"versions": [
{
"lessThan": "6.24.1-1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Nicolas VERDIER, Cybersecurity Consultant at TEHTRIS"
}
],
"datePublic": "2021-06-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService of Bitdefender Endpoint Security Tools allows an attacker to use the Endpoint Protection relay as a proxy for any remote host. This issue affects: Bitdefender Endpoint Security Tools versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender Unified Endpoint for Linux versions prior to 6.2.21.160. Bitdefender GravityZone versions prior to 6.24.1-1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-24T14:45:20",
"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"shortName": "Bitdefender"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.bitdefender.com/support/security-advisories/server-side-request-forgery-eppupdateservice-remote-config-file-va-9825/"
}
],
"solutions": [
{
"lang": "en",
"value": "An automatic update to version 6.6.27.390 fixes the issue."
}
],
"source": {
"advisory": "VA-9825",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery in EPPUpdateService remote config file (VA-9825)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-requests@bitdefender.com",
"DATE_PUBLIC": "2021-06-05T09:00:00.000Z",
"ID": "CVE-2021-3553",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery in EPPUpdateService remote config file (VA-9825)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Endpoint Security Tools",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.6.27.390"
},
{
"version_affected": "\u003c",
"version_value": "7.1.2.33"
}
]
}
},
{
"product_name": "Unified Endpoint for Linux",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.2.21.160"
}
]
}
},
{
"product_name": "GravityZone",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.24.1-1"
}
]
}
}
]
},
"vendor_name": "Bitdefender"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Nicolas VERDIER, Cybersecurity Consultant at TEHTRIS"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService of Bitdefender Endpoint Security Tools allows an attacker to use the Endpoint Protection relay as a proxy for any remote host. This issue affects: Bitdefender Endpoint Security Tools versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender Unified Endpoint for Linux versions prior to 6.2.21.160. Bitdefender GravityZone versions prior to 6.24.1-1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.bitdefender.com/support/security-advisories/server-side-request-forgery-eppupdateservice-remote-config-file-va-9825/",
"refsource": "MISC",
"url": "https://www.bitdefender.com/support/security-advisories/server-side-request-forgery-eppupdateservice-remote-config-file-va-9825/"
}
]
},
"solution": [
{
"lang": "en",
"value": "An automatic update to version 6.6.27.390 fixes the issue."
}
],
"source": {
"advisory": "VA-9825",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"assignerShortName": "Bitdefender",
"cveId": "CVE-2021-3553",
"datePublished": "2021-11-24T14:45:20.276136Z",
"dateReserved": "2021-05-17T00:00:00",
"dateUpdated": "2024-09-17T01:25:41.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0677 (GCVE-0-2022-0677)
Vulnerability from cvelistv5
Published
2022-04-07 18:21
Modified
2024-09-16 22:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-130 - Improper Handling of Length Parameter Inconsistency
Summary
Improper Handling of Length Parameter Inconsistency vulnerability in the Update Server component of Bitdefender Endpoint Security Tools (in relay role), GravityZone (in Update Server role) allows an attacker to cause a Denial-of-Service. This issue affects: Bitdefender Update Server versions prior to 3.4.0.276. Bitdefender GravityZone versions prior to 26.4-1. Bitdefender Endpoint Security Tools for Linux versions prior to 6.2.21.171. Bitdefender Endpoint Security Tools for Windows versions prior to 7.4.1.111.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | Bitdefender | Update Server |
Version: unspecified < 3.4.0.276 |
||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.188Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.bitdefender.com/support/security-advisories/improper-handling-of-length-parameter-inconsistency-vulnerability-in-bitdefender-update-server-va-10144"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Update Server",
"vendor": "Bitdefender",
"versions": [
{
"lessThan": "3.4.0.276",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "GravityZone",
"vendor": "Bitdefender",
"versions": [
{
"lessThan": "26.4-1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Endpoint Security Tools for Linux",
"vendor": "Bitdefender",
"versions": [
{
"lessThan": "6.2.21.171",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Endpoint Security Tools for Windows",
"vendor": "Bitdefender",
"versions": [
{
"lessThan": "7.4.1.111",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-03-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper Handling of Length Parameter Inconsistency vulnerability in the Update Server component of Bitdefender Endpoint Security Tools (in relay role), GravityZone (in Update Server role) allows an attacker to cause a Denial-of-Service. This issue affects: Bitdefender Update Server versions prior to 3.4.0.276. Bitdefender GravityZone versions prior to 26.4-1. Bitdefender Endpoint Security Tools for Linux versions prior to 6.2.21.171. Bitdefender Endpoint Security Tools for Windows versions prior to 7.4.1.111."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-130",
"description": "CWE-130 Improper Handling of Length Parameter Inconsistency",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-07T18:21:34",
"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"shortName": "Bitdefender"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.bitdefender.com/support/security-advisories/improper-handling-of-length-parameter-inconsistency-vulnerability-in-bitdefender-update-server-va-10144"
}
],
"solutions": [
{
"lang": "en",
"value": "An automatic update to the following product version fixes the issues:\n\nBitdefender Update Server version3.4.0.276.\nBitdefender GravityZone version 26.4-1.\nBitdefender Endpoint Security Tools for Linux version 6.2.21.171.\nBitdefender Endpoint Security Tools for Windows version 7.4.1.111."
}
],
"source": {
"defect": [
"VA-10144"
],
"discovery": "EXTERNAL"
},
"title": "Improper Handling of Length Parameter Inconsistency vulnerability in Bitdefender Update Server (VA-10144)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-requests@bitdefender.com",
"DATE_PUBLIC": "2022-03-10T10:00:00.000Z",
"ID": "CVE-2022-0677",
"STATE": "PUBLIC",
"TITLE": "Improper Handling of Length Parameter Inconsistency vulnerability in Bitdefender Update Server (VA-10144)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Update Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.4.0.276"
}
]
}
},
{
"product_name": "GravityZone",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "26.4-1"
}
]
}
},
{
"product_name": "Endpoint Security Tools for Linux",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.2.21.171"
}
]
}
},
{
"product_name": "Endpoint Security Tools for Windows",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.4.1.111"
}
]
}
}
]
},
"vendor_name": "Bitdefender"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Handling of Length Parameter Inconsistency vulnerability in the Update Server component of Bitdefender Endpoint Security Tools (in relay role), GravityZone (in Update Server role) allows an attacker to cause a Denial-of-Service. This issue affects: Bitdefender Update Server versions prior to 3.4.0.276. Bitdefender GravityZone versions prior to 26.4-1. Bitdefender Endpoint Security Tools for Linux versions prior to 6.2.21.171. Bitdefender Endpoint Security Tools for Windows versions prior to 7.4.1.111."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-130 Improper Handling of Length Parameter Inconsistency"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.bitdefender.com/support/security-advisories/improper-handling-of-length-parameter-inconsistency-vulnerability-in-bitdefender-update-server-va-10144",
"refsource": "MISC",
"url": "https://www.bitdefender.com/support/security-advisories/improper-handling-of-length-parameter-inconsistency-vulnerability-in-bitdefender-update-server-va-10144"
}
]
},
"solution": [
{
"lang": "en",
"value": "An automatic update to the following product version fixes the issues:\n\nBitdefender Update Server version3.4.0.276.\nBitdefender GravityZone version 26.4-1.\nBitdefender Endpoint Security Tools for Linux version 6.2.21.171.\nBitdefender Endpoint Security Tools for Windows version 7.4.1.111."
}
],
"source": {
"defect": [
"VA-10144"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"assignerShortName": "Bitdefender",
"cveId": "CVE-2022-0677",
"datePublished": "2022-04-07T18:21:34.788102Z",
"dateReserved": "2022-02-18T00:00:00",
"dateUpdated": "2024-09-16T22:02:25.418Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3554 (GCVE-0-2021-3554)
Vulnerability from cvelistv5
Published
2021-11-24 14:45
Modified
2024-09-16 20:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches. This issue affects: Bitdefender Endpoint Security Tools for Linux versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender Unified Endpoint versions prior to 6.2.21.160. Bitdefender GravityZone versions prior to 6.24.1-1.
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | Bitdefender | Endpoint Security Tools for Linux |
Version: unspecified < 6.6.27.390 Version: unspecified < 7.1.2.33 |
|||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:07.935Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.bitdefender.com/support/security-advisories/improper-access-control-vulnerability-patchesupdate-api-va-9825"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Endpoint Security Tools for Linux",
"vendor": "Bitdefender",
"versions": [
{
"lessThan": "6.6.27.390",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "7.1.2.33",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Unified Endpoint",
"vendor": "Bitdefender",
"versions": [
{
"lessThan": "6.2.21.160",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "GravityZone",
"vendor": "Bitdefender",
"versions": [
{
"lessThan": "6.24.1-1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Nicolas VERDIER, Cybersecurity Consultant at TEHTRIS"
}
],
"datePublic": "2021-06-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches. This issue affects: Bitdefender Endpoint Security Tools for Linux versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender Unified Endpoint versions prior to 6.2.21.160. Bitdefender GravityZone versions prior to 6.24.1-1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-24T14:45:12",
"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"shortName": "Bitdefender"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.bitdefender.com/support/security-advisories/improper-access-control-vulnerability-patchesupdate-api-va-9825"
}
],
"source": {
"advisory": "VA-9825",
"discovery": "EXTERNAL"
},
"title": "Improper Access Control vulnerability in the patchesUpdate API",
"workarounds": [
{
"lang": "en",
"value": "An automatic update to version 6.6.27.390 fixes the issue."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-requests@bitdefender.com",
"DATE_PUBLIC": "2021-06-05T09:00:00.000Z",
"ID": "CVE-2021-3554",
"STATE": "PUBLIC",
"TITLE": "Improper Access Control vulnerability in the patchesUpdate API"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Endpoint Security Tools for Linux",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.6.27.390"
},
{
"version_affected": "\u003c",
"version_value": "7.1.2.33"
}
]
}
},
{
"product_name": "Unified Endpoint",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.2.21.160"
}
]
}
},
{
"product_name": "GravityZone",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.24.1-1"
}
]
}
}
]
},
"vendor_name": "Bitdefender"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Nicolas VERDIER, Cybersecurity Consultant at TEHTRIS"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches. This issue affects: Bitdefender Endpoint Security Tools for Linux versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender Unified Endpoint versions prior to 6.2.21.160. Bitdefender GravityZone versions prior to 6.24.1-1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.bitdefender.com/support/security-advisories/improper-access-control-vulnerability-patchesupdate-api-va-9825",
"refsource": "MISC",
"url": "https://www.bitdefender.com/support/security-advisories/improper-access-control-vulnerability-patchesupdate-api-va-9825"
}
]
},
"source": {
"advisory": "VA-9825",
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "An automatic update to version 6.6.27.390 fixes the issue."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"assignerShortName": "Bitdefender",
"cveId": "CVE-2021-3554",
"datePublished": "2021-11-24T14:45:12.904727Z",
"dateReserved": "2021-05-17T00:00:00",
"dateUpdated": "2024-09-16T20:03:20.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3960 (GCVE-0-2021-3960)
Vulnerability from cvelistv5
Published
2021-12-16 14:40
Modified
2024-09-16 19:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects Bitdefender GravityZone versions prior to 3.3.8.272
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Bitdefender | GravityZone |
Version: unspecified < 3.3.8.272 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.779Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.bitdefender.com/support/security-advisories/privilege-escalation-via-the-gravityzone-productmanager-updateserver-kitsmanager-api-va-10146"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GravityZone",
"vendor": "Bitdefender",
"versions": [
{
"lessThan": "3.3.8.272",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Nicolas Verdier, independent security researcher"
}
],
"datePublic": "2021-12-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects Bitdefender GravityZone versions prior to 3.3.8.272"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-16T14:40:15",
"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"shortName": "Bitdefender"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.bitdefender.com/support/security-advisories/privilege-escalation-via-the-gravityzone-productmanager-updateserver-kitsmanager-api-va-10146"
}
],
"solutions": [
{
"lang": "en",
"value": "An automatic update to Bitdefender GravityZone version 3.3.8.272 fixes the issue."
}
],
"source": {
"defect": [
"VA-10146"
],
"discovery": "EXTERNAL"
},
"title": "Privilege Escalation via the GravityZone productManager UpdateServer.KitsManager API (VA-10146)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-requests@bitdefender.com",
"DATE_PUBLIC": "2021-12-01T12:32:00.000Z",
"ID": "CVE-2021-3960",
"STATE": "PUBLIC",
"TITLE": "Privilege Escalation via the GravityZone productManager UpdateServer.KitsManager API (VA-10146)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GravityZone",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.3.8.272"
}
]
}
}
]
},
"vendor_name": "Bitdefender"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Nicolas Verdier, independent security researcher"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects Bitdefender GravityZone versions prior to 3.3.8.272"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.bitdefender.com/support/security-advisories/privilege-escalation-via-the-gravityzone-productmanager-updateserver-kitsmanager-api-va-10146",
"refsource": "MISC",
"url": "https://www.bitdefender.com/support/security-advisories/privilege-escalation-via-the-gravityzone-productmanager-updateserver-kitsmanager-api-va-10146"
}
]
},
"solution": [
{
"lang": "en",
"value": "An automatic update to Bitdefender GravityZone version 3.3.8.272 fixes the issue."
}
],
"source": {
"defect": [
"VA-10146"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"assignerShortName": "Bitdefender",
"cveId": "CVE-2021-3960",
"datePublished": "2021-12-16T14:40:15.890326Z",
"dateReserved": "2021-11-15T00:00:00",
"dateUpdated": "2024-09-16T19:41:10.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3552 (GCVE-0-2021-3552)
Vulnerability from cvelistv5
Published
2021-11-24 14:40
Modified
2024-09-16 17:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService component of Bitdefender Endpoint Security Tools allows an attacker to proxy requests to the relay server. This issue affects: Bitdefender Endpoint Security Tools versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender GravityZone 6.24.1-1.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Bitdefender | Endpoint Security Tools |
Version: unspecified < 6.6.27.390 Version: unspecified < 7.1.2.33 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:08.290Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.bitdefender.com/support/security-advisories/insufficient-validation-regular-expression-eppupdateservice-config-file-va-9825"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Endpoint Security Tools",
"vendor": "Bitdefender",
"versions": [
{
"lessThan": "6.6.27.390",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "7.1.2.33",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "GravityZone",
"vendor": "Bitdefender",
"versions": [
{
"status": "affected",
"version": "6.24.1-1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Nicolas VERDIER, Cybersecurity Consultant at TEHTRIS"
}
],
"datePublic": "2021-06-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService component of Bitdefender Endpoint Security Tools allows an attacker to proxy requests to the relay server. This issue affects: Bitdefender Endpoint Security Tools versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender GravityZone 6.24.1-1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-24T14:40:12",
"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"shortName": "Bitdefender"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.bitdefender.com/support/security-advisories/insufficient-validation-regular-expression-eppupdateservice-config-file-va-9825"
}
],
"source": {
"advisory": "VA-9825",
"discovery": "EXTERNAL"
},
"title": "Insufficient validation on regular expression in EPPUpdateService config file (VA-9825)",
"workarounds": [
{
"lang": "en",
"value": "An automatic update to version 6.6.27.390 fixes the issue."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-requests@bitdefender.com",
"DATE_PUBLIC": "2021-06-05T09:00:00.000Z",
"ID": "CVE-2021-3552",
"STATE": "PUBLIC",
"TITLE": "Insufficient validation on regular expression in EPPUpdateService config file (VA-9825)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Endpoint Security Tools",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.6.27.390"
},
{
"version_affected": "\u003c",
"version_value": "7.1.2.33"
}
]
}
},
{
"product_name": "GravityZone",
"version": {
"version_data": [
{
"version_value": "6.24.1-1"
}
]
}
}
]
},
"vendor_name": "Bitdefender"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Nicolas VERDIER, Cybersecurity Consultant at TEHTRIS"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService component of Bitdefender Endpoint Security Tools allows an attacker to proxy requests to the relay server. This issue affects: Bitdefender Endpoint Security Tools versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender GravityZone 6.24.1-1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.bitdefender.com/support/security-advisories/insufficient-validation-regular-expression-eppupdateservice-config-file-va-9825",
"refsource": "MISC",
"url": "https://www.bitdefender.com/support/security-advisories/insufficient-validation-regular-expression-eppupdateservice-config-file-va-9825"
}
]
},
"source": {
"advisory": "VA-9825",
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "An automatic update to version 6.6.27.390 fixes the issue."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"assignerShortName": "Bitdefender",
"cveId": "CVE-2021-3552",
"datePublished": "2021-11-24T14:40:13.004867Z",
"dateReserved": "2021-05-17T00:00:00",
"dateUpdated": "2024-09-16T17:33:06.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3641 (GCVE-0-2021-3641)
Vulnerability from cvelistv5
Published
2021-11-09 14:10
Modified
2024-09-17 02:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Summary
Improper Link Resolution Before File Access ('Link Following') vulnerability in the EPAG component of Bitdefender Endpoint Security Tools for Windows allows a local attacker to cause a denial of service. This issue affects: Bitdefender GravityZone version 7.1.2.33 and prior versions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Bitdefender | GravityZone |
Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:08.306Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.bitdefender.com/support/security-advisories/improper-link-resolution-before-file-access-in-bitdefender-gravityzone-va-9921"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-143/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GravityZone",
"vendor": "Bitdefender",
"versions": [
{
"lessThanOrEqual": "7.1.2.33",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "@Kharosx0 working with Trend Micro Zero Day Initiative"
}
],
"datePublic": "2021-10-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper Link Resolution Before File Access (\u0027Link Following\u0027) vulnerability in the EPAG component of Bitdefender Endpoint Security Tools for Windows allows a local attacker to cause a denial of service. This issue affects: Bitdefender GravityZone version 7.1.2.33 and prior versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-27T09:06:10",
"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"shortName": "Bitdefender"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.bitdefender.com/support/security-advisories/improper-link-resolution-before-file-access-in-bitdefender-gravityzone-va-9921"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-143/"
}
],
"solutions": [
{
"lang": "en",
"value": "An automatic update to a newer version of Bitdefender Endpoint Security Tools for Windows fixes the issue"
}
],
"source": {
"defect": [
"VA-9921"
],
"discovery": "EXTERNAL"
},
"title": "Improper Link Resolution Before File Access in Bitdefender GravityZone (VA-9921)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-requests@bitdefender.com",
"DATE_PUBLIC": "2021-10-30T09:00:00.000Z",
"ID": "CVE-2021-3641",
"STATE": "PUBLIC",
"TITLE": "Improper Link Resolution Before File Access in Bitdefender GravityZone (VA-9921)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GravityZone",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "7.1.2.33"
}
]
}
}
]
},
"vendor_name": "Bitdefender"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "@Kharosx0 working with Trend Micro Zero Day Initiative"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Link Resolution Before File Access (\u0027Link Following\u0027) vulnerability in the EPAG component of Bitdefender Endpoint Security Tools for Windows allows a local attacker to cause a denial of service. This issue affects: Bitdefender GravityZone version 7.1.2.33 and prior versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.bitdefender.com/support/security-advisories/improper-link-resolution-before-file-access-in-bitdefender-gravityzone-va-9921",
"refsource": "MISC",
"url": "https://www.bitdefender.com/support/security-advisories/improper-link-resolution-before-file-access-in-bitdefender-gravityzone-va-9921"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-22-143/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-143/"
}
]
},
"solution": [
{
"lang": "en",
"value": "An automatic update to a newer version of Bitdefender Endpoint Security Tools for Windows fixes the issue"
}
],
"source": {
"defect": [
"VA-9921"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"assignerShortName": "Bitdefender",
"cveId": "CVE-2021-3641",
"datePublished": "2021-11-09T14:10:14.024869Z",
"dateReserved": "2021-07-12T00:00:00",
"dateUpdated": "2024-09-17T02:47:52.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}