CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2021-3554 – Improper Access Control vulnerability in the patchesUpdate API
https://notcve.org/view.php?id=CVE-2021-3554
Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches. This issue affects: Bitdefender Endpoint Security Tools for Linux versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender Unified Endpoint versions prior to 6.2.21.160. Bitdefender GravityZone versions prior to 6.24.1-1. Una vulnerabilidad de control de acceso inadecuado en la API patchesUpdate, tal y como se implementa en Bitdefender Endpoint Security Tools for Linux como rol de retransmisión, permite a un atacante manipular la dirección remota usada para extraer parches. • https://www.bitdefender.com/support/security-advisories/improper-access-control-vulnerability-patchesupdate-api-va-9825 • CWE-284: Improper Access Control •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-3641 – Improper Link Resolution Before File Access in Bitdefender GravityZone (VA-9921)
https://notcve.org/view.php?id=CVE-2021-3641
Improper Link Resolution Before File Access ('Link Following') vulnerability in the EPAG component of Bitdefender Endpoint Security Tools for Windows allows a local attacker to cause a denial of service. This issue affects: Bitdefender GravityZone version 7.1.2.33 and prior versions. Una vulnerabilidad de Resolución de Enlaces Inapropiada versiones anteriores al Acceso a Archivos ("Link Following") en el componente EPAG de Bitdefender Endpoint Security Tools for Windows permite a un atacante local causar una denegación de servicio. Este problema afecta a: Bitdefender GravityZone versión 7.1.2.33 y versiones anteriores This vulnerability allows local attackers to create a denial-of-service condition on affected installations of Bitdefender GravityZone. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Endpoint Agent. • https://www.bitdefender.com/support/security-advisories/improper-link-resolution-before-file-access-in-bitdefender-gravityzone-va-9921 https://www.zerodayinitiative.com/advisories/ZDI-22-143 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-3823 – Path traversal vulnerability in Bitdefender GravitZone Update Server in relay mode
https://notcve.org/view.php?id=CVE-2021-3823
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects: Bitdefender GravityZone versions prior to 3.3.8.249. Una vulnerabilidad de Limitación Inapropiada de un Nombre de Ruta a un Directorio Restringido ("Salto de Ruta") en el componente UpdateServer de Bitdefender GravityZone permite a un atacante ejecutar código arbitrario en instancias vulnerables. Este problema afecta a: Bitdefender GravityZone versiones anteriores a 3.3.8.249 • https://www.bitdefender.com/support/security-advisories/path-traversal-vulnerability-in-bitdefender-gravitzone-update-server-in-relay-mode-va-10039 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2017-8931
https://notcve.org/view.php?id=CVE-2017-8931
Bitdefender GravityZone VMware appliance before 6.2.1-35 might allow attackers to gain access with root privileges via unspecified vectors. Bitdefender GravityZone VMware en versiones anteriores a la 6.2.1-35 podría permitir que los atacantes obtengan acceso con privilegios root mediante vectores sin especificar. • https://www.bitdefender.com/support/bitdefender-gravityzone-6-2-1-35-release-notes-1909.html •
CVSS: 5.0EPSS: 10%CPEs: 1EXPL: 3CVE-2014-5350 – BitDefender GravityZone 5.1.5.386 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-5350
Multiple directory traversal vulnerabilities in Bitdefender GravityZone before 5.1.11.432 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the id parameter to webservice/CORE/downloadFullKitEpc/a/1 in the Web Console or (2) %2E%2E (encoded dot dot) in the default URI to port 7074 on the Update Server. Múltiples vulnerabilidades de salto de directorio en Bitdefender GravityZone anterior a 5.1.11.432 permiten a atacantes remotos leer ficheros arbitrarios a través de un (1) .. (punto punto) en el parámetro id en webservice/CORE/downloadFullKitEpc/a/1 en la consola web o (2) %2E%2E (punto punto codificado) en la URI por defecto en el puerto 7074 en el servidor de actualización. • https://www.exploit-db.com/exploits/34086 http://seclists.org/fulldisclosure/2014/Jul/78 http://www.bitdefender.com/support/how-to-configure-iptables-firewall-rules-on-gravityzone-for-restricting-outside-access-to-mongodatabase-1265.html https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140716-3_Bitdefender_GravityZone_Multiple_critical_vulnerabilities_v10.txt • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •