CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4177 – Host whitelist parser issue in GravityZone Console On-Premise (VA-11554)
https://notcve.org/view.php?id=CVE-2024-4177
A host whitelist parser issue in the proxy service implemented in the GravityZone Update Server allows an attacker to cause a server-side request forgery. This issue only affects GravityZone Console versions before 6.38.1-2 that are running only on premise. Un problema con el analizador de lista blanca de host en el servicio proxy implementado en GravityZone Update Server permite a un atacante provocar server-side request forgery. Este problema solo afecta a las versiones de GravityZone Console anteriores a 6.38.1-2 que se ejecutan únicamente en las instalaciones. • https://bitdefender.com/consumer/support/support/security-advisories/host-whitelist-parser-issue-in-gravityzone-console-on-premise-va-11554 https://www.cve.org/CVERecord?id=CVE-2024-4177 • CWE-116: Improper Encoding or Escaping of Output CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 1CVE-2024-2224 – Privilege Escalation via the GravityZone productManager UpdateServer.KitsManager API (VA-11466)
https://notcve.org/view.php?id=CVE-2024-2224
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects the following products that include the vulnerable component: Bitdefender Endpoint Security for Linux version 7.0.5.200089 Bitdefender Endpoint Security for Windows version 7.9.9.380 GravityZone Control Center (On Premises) version 6.36.1 La vulnerabilidad de limitación inadecuada de un nombre de ruta a un directorio restringido ("Path Traversal") en el componente UpdateServer de Bitdefender GravityZone permite a un atacante ejecutar código arbitrario en instancias vulnerables. Este problema afecta a los siguientes productos que incluyen el componente vulnerable: Bitdefender Endpoint Security para Linux versión 7.0.5.200089 Bitdefender Endpoint Security para Windows versión 7.9.9.380 GravityZone Control Center (On Premises) versión 6.36.1 • https://github.com/SeanPesce/CVE-2024-22243 https://www.bitdefender.com/support/security-advisories/privilege-escalation-via-the-gravityzone-productmanager-updateserver-kitsmanager-api-va-11466 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 1CVE-2024-2223 – Incorrect Regular Expression in GravityZone Update Server (VA-11465)
https://notcve.org/view.php?id=CVE-2024-2223
An Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request Forgery and reconfigure the relay. This issue affects the following products that include the vulnerable component: Bitdefender Endpoint Security for Linux version 7.0.5.200089 Bitdefender Endpoint Security for Windows version 7.9.9.380 GravityZone Control Center (On Premises) version 6.36.1 Una vulnerabilidad de expresión regular incorrecta en Bitdefender GravityZone Update Server permite a un atacante provocar Server Side Request Forgery y reconfigurar el relé. Este problema afecta a los siguientes productos que incluyen el componente vulnerable: Bitdefender Endpoint Security para Linux versión 7.0.5.200089 Bitdefender Endpoint Security para Windows versión 7.9.9.380 GravityZone Control Center (On Premises) versión 6.36.1 • https://github.com/shellfeel/CVE-2024-22243-CVE-2024-22234 https://www.bitdefender.com/support/security-advisories/incorrect-regular-expression-in-gravityzone-update-server-va-11465 • CWE-185: Incorrect Regular Expression •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-2830 – Deserialization of Untrusted Data in GravityZone Console On-Premise (VA-10573)
https://notcve.org/view.php?id=CVE-2022-2830
Deserialization of Untrusted Data vulnerability in the message processing component of Bitdefender GravityZone Console allows an attacker to pass unsafe commands to the environment. This issue affects: Bitdefender GravityZone Console On-Premise versions prior to 6.29.2-1. Bitdefender GravityZone Cloud Console versions prior to 6.27.2-2. Una vulnerabilidad de Deserialización de Datos No Confiables en el componente de procesamiento de mensajes de Bitdefender GravityZone Console permite a un atacante pasar comandos no seguros al entorno. Este problema afecta a: Bitdefender GravityZone Console On-Premise versiones anteriores a 6.29.2-1. • https://www.bitdefender.com/support/security-advisories/deserialization-of-untrusted-data-in-gravityzone-console-va-10573 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-0677 – Improper Handling of Length Parameter Inconsistency vulnerability in Bitdefender Update Server (VA-10144)
https://notcve.org/view.php?id=CVE-2022-0677
Improper Handling of Length Parameter Inconsistency vulnerability in the Update Server component of Bitdefender Endpoint Security Tools (in relay role), GravityZone (in Update Server role) allows an attacker to cause a Denial-of-Service. This issue affects: Bitdefender Update Server versions prior to 3.4.0.276. Bitdefender GravityZone versions prior to 26.4-1. Bitdefender Endpoint Security Tools for Linux versions prior to 6.2.21.171. Bitdefender Endpoint Security Tools for Windows versions prior to 7.4.1.111. • https://www.bitdefender.com/support/security-advisories/improper-handling-of-length-parameter-inconsistency-vulnerability-in-bitdefender-update-server-va-10144 • CWE-130: Improper Handling of Length Parameter Inconsistency •