Lucene search

BitdefenderCVELIST:CVE-2019-17095

HistoryNov 23, 2019 - 12:00 a.m.

CVE-2019-17095 Bitdefender BOX 2 bootstrap download_image command injection vulnerability

2019-11-2300:00:00

CWE-78

Bitdefender

www.cve.org

8.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

0.028 Low

EPSS

Percentile

90.7%

JSON

A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method /api/download_image unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. In order to exploit the condition, an unauthenticated attacker should impersonate a infrastructure server to trigger this vulnerability.

CNA Affected

[
  {
    "product": "Bitdefender BOX 2",
    "vendor": "Bitdefender",
    "versions": [
      {
        "lessThan": "2.1.59-12",
        "status": "affected",
        "version": "2.1.47.42",
        "versionType": "custom"
      },
      {
        "lessThan": "2.1.59-12",
        "status": "affected",
        "version": "2.1.53.45",
        "versionType": "custom"
      }
    ]
  }
]

References

www.bitdefender.com/support/security-advisories/command-injection-vulnerability-in-bitdefender-box-v2-va-5706

8.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

0.028 Low

EPSS

Percentile

90.7%

JSON

Related for CVELIST:CVE-2019-17095