CVE-2024-2224 (GCVE-0-2024-2224)
Vulnerability from cvelistv5
Published
2024-04-09 13:01
Modified
2024-08-01 19:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects the following products that include the vulnerable component:
Bitdefender Endpoint Security for Linux version 7.0.5.200089
Bitdefender Endpoint Security for Windows version 7.9.9.380
GravityZone Control Center (On Premises) version 6.36.1
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | Bitdefender | GravityZone Control Center (On Premises) |
Version: 6.36.1 |
|||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:bitdefender:gravityzone:6.36.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "gravityzone",
"vendor": "bitdefender",
"versions": [
{
"status": "affected",
"version": "6.36.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:bitdefender:endpoint_security_for_windows:7.9.9.380:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "endpoint_security_for_windows",
"vendor": "bitdefender",
"versions": [
{
"status": "affected",
"version": "7.9.9.380"
}
]
},
{
"cpes": [
"cpe:2.3:a:bitdefender:endpoint_security_for_linux:70.5.200089:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "endpoint_security_for_linux",
"vendor": "bitdefender",
"versions": [
{
"status": "affected",
"version": "70.5.200089"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2224",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-09T14:18:06.302656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T18:37:44.171Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:39.266Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.bitdefender.com/support/security-advisories/privilege-escalation-via-the-gravityzone-productmanager-updateserver-kitsmanager-api-va-11466/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "GravityZone Control Center (On Premises)",
"vendor": "Bitdefender",
"versions": [
{
"status": "affected",
"version": "6.36.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Endpoint Security for Windows",
"vendor": "Bitdefender",
"versions": [
{
"status": "affected",
"version": "7.9.9.380"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Endpoint Security for Linux",
"vendor": "Bitdefender",
"versions": [
{
"status": "affected",
"version": "7.0.5.200089"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nicolas VERDIER -- n1nj4sec"
}
],
"datePublic": "2024-03-11T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eImproper Limitation of a Pathname to a Restricted Directory (\u2018Path Traversal\u2019) vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects the following products that include the vulnerable component: \u003cbr\u003e\u003cbr\u003eBitdefender Endpoint Security for Linux version 7.0.5.200089\u003cbr\u003eBitdefender Endpoint Security for Windows version 7.9.9.380\u003cbr\u003eGravityZone Control Center (On Premises) version 6.36.1\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u2018Path Traversal\u2019) vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects the following products that include the vulnerable component: \n\nBitdefender Endpoint Security for Linux version 7.0.5.200089\nBitdefender Endpoint Security for Windows version 7.9.9.380\nGravityZone Control Center (On Premises) version 6.36.1\n"
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21: Leveraging/Manipulating Configuration File Search Paths"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-09T13:01:47.416Z",
"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"shortName": "Bitdefender"
},
"references": [
{
"url": "https://www.bitdefender.com/support/security-advisories/privilege-escalation-via-the-gravityzone-productmanager-updateserver-kitsmanager-api-va-11466/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An automatic update to the following versions fixes the issues:\u003cbr\u003e\u003cbr\u003eBitdefender Endpoint Security for Linux version 7.0.5.200090\u003cbr\u003eBitdefender Endpoint Security for Windows version 7.9.9.381\u003cbr\u003eGravityZone Control Center (On Premises) version 6.36.1-1\u003cbr\u003e"
}
],
"value": "An automatic update to the following versions fixes the issues:\n\nBitdefender Endpoint Security for Linux version 7.0.5.200090\nBitdefender Endpoint Security for Windows version 7.9.9.381\nGravityZone Control Center (On Premises) version 6.36.1-1\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Privilege Escalation via the GravityZone productManager UpdateServer.KitsManager API (VA-11466)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"assignerShortName": "Bitdefender",
"cveId": "CVE-2024-2224",
"datePublished": "2024-04-09T13:01:47.416Z",
"dateReserved": "2024-03-06T14:44:03.507Z",
"dateUpdated": "2024-08-01T19:03:39.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-2224\",\"sourceIdentifier\":\"cve-requests@bitdefender.com\",\"published\":\"2024-04-09T13:15:33.357\",\"lastModified\":\"2025-02-07T18:53:18.953\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Limitation of a Pathname to a Restricted Directory (\u2018Path Traversal\u2019) vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects the following products that include the vulnerable component: \\n\\nBitdefender Endpoint Security for Linux version 7.0.5.200089\\nBitdefender Endpoint Security for Windows version 7.9.9.380\\nGravityZone Control Center (On Premises) version 6.36.1\\n\"},{\"lang\":\"es\",\"value\":\"La vulnerabilidad de limitaci\u00f3n inadecuada de un nombre de ruta a un directorio restringido (\\\"Path Traversal\\\") en el componente UpdateServer de Bitdefender GravityZone permite a un atacante ejecutar c\u00f3digo arbitrario en instancias vulnerables. Este problema afecta a los siguientes productos que incluyen el componente vulnerable: Bitdefender Endpoint Security para Linux versi\u00f3n 7.0.5.200089 Bitdefender Endpoint Security para Windows versi\u00f3n 7.9.9.380 GravityZone Control Center (On Premises) versi\u00f3n 6.36.1\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve-requests@bitdefender.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"cve-requests@bitdefender.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:bitdefender:endpoint_security:7.0.5.200089:*:*:*:*:linux:*:*\",\"matchCriteriaId\":\"AAB89966-3C21-4B7D-AC06-852112583783\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:bitdefender:endpoint_security:7.9.9.380:*:*:*:*:windows:*:*\",\"matchCriteriaId\":\"D1F56724-5FFE-414B-95D1-96351A0F9686\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:bitdefender:gravityzone_control_center:6.36.1:*:*:*:on_premises:*:*:*\",\"matchCriteriaId\":\"75899627-A80E-49B6-9EBA-433DF7F2BE37\"}]}]}],\"references\":[{\"url\":\"https://www.bitdefender.com/support/security-advisories/privilege-escalation-via-the-gravityzone-productmanager-updateserver-kitsmanager-api-va-11466/\",\"source\":\"cve-requests@bitdefender.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.bitdefender.com/support/security-advisories/privilege-escalation-via-the-gravityzone-productmanager-updateserver-kitsmanager-api-va-11466/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.bitdefender.com/support/security-advisories/privilege-escalation-via-the-gravityzone-productmanager-updateserver-kitsmanager-api-va-11466/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T19:03:39.266Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-2224\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-04-09T14:18:06.302656Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:bitdefender:gravityzone:6.36.1:*:*:*:*:*:*:*\"], \"vendor\": \"bitdefender\", \"product\": \"gravityzone\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.36.1\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:bitdefender:endpoint_security_for_windows:7.9.9.380:*:*:*:*:*:*:*\"], \"vendor\": \"bitdefender\", \"product\": \"endpoint_security_for_windows\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.9.9.380\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:bitdefender:endpoint_security_for_linux:70.5.200089:*:*:*:*:*:*:*\"], \"vendor\": \"bitdefender\", \"product\": \"endpoint_security_for_linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"70.5.200089\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-06T18:36:19.587Z\"}}], \"cna\": {\"title\": \"Privilege Escalation via the GravityZone productManager UpdateServer.KitsManager API (VA-11466)\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Nicolas VERDIER -- n1nj4sec\"}], \"impacts\": [{\"capecId\": \"CAPEC-21\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-21: Leveraging/Manipulating Configuration File Search Paths\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Bitdefender\", \"product\": \"GravityZone Control Center (On Premises)\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.36.1\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Bitdefender\", \"product\": \"Endpoint Security for Windows\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.9.9.380\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Bitdefender\", \"product\": \"Endpoint Security for Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0.5.200089\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"An automatic update to the following versions fixes the issues:\\n\\nBitdefender Endpoint Security for Linux version 7.0.5.200090\\nBitdefender Endpoint Security for Windows version 7.9.9.381\\nGravityZone Control Center (On Premises) version 6.36.1-1\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An automatic update to the following versions fixes the issues:\u003cbr\u003e\u003cbr\u003eBitdefender Endpoint Security for Linux version 7.0.5.200090\u003cbr\u003eBitdefender Endpoint Security for Windows version 7.9.9.381\u003cbr\u003eGravityZone Control Center (On Premises) version 6.36.1-1\u003cbr\u003e\", \"base64\": false}]}], \"datePublic\": \"2024-03-11T10:00:00.000Z\", \"references\": [{\"url\": \"https://www.bitdefender.com/support/security-advisories/privilege-escalation-via-the-gravityzone-productmanager-updateserver-kitsmanager-api-va-11466/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Limitation of a Pathname to a Restricted Directory (\\u2018Path Traversal\\u2019) vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects the following products that include the vulnerable component: \\n\\nBitdefender Endpoint Security for Linux version 7.0.5.200089\\nBitdefender Endpoint Security for Windows version 7.9.9.380\\nGravityZone Control Center (On Premises) version 6.36.1\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eImproper Limitation of a Pathname to a Restricted Directory (\\u2018Path Traversal\\u2019) vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects the following products that include the vulnerable component: \u003cbr\u003e\u003cbr\u003eBitdefender Endpoint Security for Linux version 7.0.5.200089\u003cbr\u003eBitdefender Endpoint Security for Windows version 7.9.9.380\u003cbr\u003eGravityZone Control Center (On Premises) version 6.36.1\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"b3d5ebe7-963e-41fb-98e1-2edaeabb8f82\", \"shortName\": \"Bitdefender\", \"dateUpdated\": \"2024-04-09T13:01:47.416Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-2224\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T19:03:39.266Z\", \"dateReserved\": \"2024-03-06T14:44:03.507Z\", \"assignerOrgId\": \"b3d5ebe7-963e-41fb-98e1-2edaeabb8f82\", \"datePublished\": \"2024-04-09T13:01:47.416Z\", \"assignerShortName\": \"Bitdefender\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…