github - ghsa-mvf3-qj92-4c7r

ghsa-mvf3-qj92-4c7r

Vulnerability from github

Published

2024-04-09 15:30

Modified

2025-02-07 21:30

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

An Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request Forgery and reconfigure the relay. This issue affects the following products that include the vulnerable component:

Bitdefender Endpoint Security for Linux version 7.0.5.200089 Bitdefender Endpoint Security for Windows version 7.9.9.380 GravityZone Control Center (On Premises) version 6.36.1

Show details on source website

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-2223"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-185",
      "CWE-697"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-09T13:15:33Z",
    "severity": "HIGH"
  },
  "details": "An Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request Forgery and reconfigure the relay. This issue affects the following products that include the vulnerable component:\u00a0\n\nBitdefender Endpoint Security for Linux version 7.0.5.200089\nBitdefender Endpoint Security for\u00a0 Windows version 7.9.9.380\nGravityZone Control Center (On Premises) version 6.36.1",
  "id": "GHSA-mvf3-qj92-4c7r",
  "modified": "2025-02-07T21:30:51Z",
  "published": "2024-04-09T15:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2223"
    },
    {
      "type": "WEB",
      "url": "https://www.bitdefender.com/support/security-advisories/incorrect-regular-expression-in-gravityzone-update-server-va-11465"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2024-2223 (GCVE-0-2024-2223)

Vulnerability from cvelistv5

Published

2024-04-09 13:01

Modified

2024-08-12 17:59

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-185 - Incorrect Regular Expression

Summary

An Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request Forgery and reconfigure the relay. This issue affects the following products that include the vulnerable component: Bitdefender Endpoint Security for Linux version 7.0.5.200089 Bitdefender Endpoint Security for Windows version 7.9.9.380 GravityZone Control Center (On Premises) version 6.36.1

References

►

URL

Tags

https://www.bitdefender.com/support/security-advisories/incorrect-regular-expression-in-gravityzone-update-server-va-11465/

Impacted products

Vendor

Product

Version

►

GravityZone Control Center (On Premises)

Version: 6.36.1

	Bitdefender	Endpoint Security for Windows	Version: 7.9.9.380
	Bitdefender	Endpoint Security for Linux	Version: 7.0.5.200089

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T19:03:39.042Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.bitdefender.com/support/security-advisories/incorrect-regular-expression-in-gravityzone-update-server-va-11465/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:bitdefender:gravityzone:6.36.1:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "gravityzone",
            "vendor": "bitdefender",
            "versions": [
              {
                "status": "affected",
                "version": "6.36.1"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:bitdefender:endpoint_security_for_windows:7.9.9.380:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "endpoint_security_for_windows",
            "vendor": "bitdefender",
            "versions": [
              {
                "status": "affected",
                "version": "7.9.9.380"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:bitdefender:endpoint_security_for_linux:7.0.5.200089:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "endpoint_security_for_linux",
            "vendor": "bitdefender",
            "versions": [
              {
                "status": "affected",
                "version": "7.0.5.200089"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-2223",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-12T15:13:14.948905Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-12T17:59:36.379Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "GravityZone Control Center (On Premises)",
          "vendor": "Bitdefender",
          "versions": [
            {
              "status": "affected",
              "version": "6.36.1"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Endpoint Security for Windows",
          "vendor": "Bitdefender",
          "versions": [
            {
              "status": "affected",
              "version": "7.9.9.380"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Endpoint Security for Linux",
          "vendor": "Bitdefender",
          "versions": [
            {
              "status": "affected",
              "version": "7.0.5.200089"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Nicolas VERDIER -- n1nj4sec"
        }
      ],
      "datePublic": "2024-04-09T09:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request Forgery and reconfigure the relay. This issue affects the following products that include the vulnerable component:\u0026nbsp;\u003cbr\u003e\u003cbr\u003eBitdefender Endpoint Security for Linux version 7.0.5.200089\u003cbr\u003eBitdefender Endpoint Security for\u0026nbsp; Windows version 7.9.9.380\u003cbr\u003eGravityZone Control Center (On Premises) version 6.36.1\u003cbr\u003e\u003c/span\u003e"
            }
          ],
          "value": "An Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request Forgery and reconfigure the relay. This issue affects the following products that include the vulnerable component:\u00a0\n\nBitdefender Endpoint Security for Linux version 7.0.5.200089\nBitdefender Endpoint Security for\u00a0 Windows version 7.9.9.380\nGravityZone Control Center (On Premises) version 6.36.1\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-664",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-664: Server Side Request Forgery"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-185",
              "description": "CWE-185: Incorrect Regular Expression",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-09T13:01:34.716Z",
        "orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
        "shortName": "Bitdefender"
      },
      "references": [
        {
          "url": "https://www.bitdefender.com/support/security-advisories/incorrect-regular-expression-in-gravityzone-update-server-va-11465/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An automatic update to the following versions fixes the issues:\u003cbr\u003e\u003cbr\u003eBitdefender Endpoint Security for Linux version 7.0.5.200090\u003cbr\u003eBitdefender Endpoint Security for  Windows version 7.9.9.381\u003cbr\u003eGravityZone Control Center (On Premises) version 6.36.1-1\u003cbr\u003e"
            }
          ],
          "value": "An automatic update to the following versions fixes the issues:\n\nBitdefender Endpoint Security for Linux version 7.0.5.200090\nBitdefender Endpoint Security for  Windows version 7.9.9.381\nGravityZone Control Center (On Premises) version 6.36.1-1\n"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": " Incorrect Regular Expression in GravityZone Update Server (VA-11465)",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
    "assignerShortName": "Bitdefender",
    "cveId": "CVE-2024-2223",
    "datePublished": "2024-04-09T13:01:34.716Z",
    "dateReserved": "2024-03-06T14:44:01.368Z",
    "dateUpdated": "2024-08-12T17:59:36.379Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.