CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2245 – Server Side Request Forgery in GravityZone Update Server Using Null Bytes (VA-12646)
https://notcve.org/view.php?id=CVE-2025-2245
04 Apr 2025 — A server-side request forgery (SSRF) vulnerability exists in the Bitdefender GravityZone Update Server when operating in Relay Mode. The HTTP proxy component on port 7074 uses a domain allowlist to restrict outbound requests, but fails to properly sanitize hostnames containing null-byte (%00) sequences. By crafting a request to a domain such as evil.com%00.bitdefender.com, an attacker can bypass the allowlist check, causing the proxy to forward requests to arbitrary external or internal systems. Existe una ... • https://www.bitdefender.com/support/security-advisories/server-side-request-forgery-in-gravityzone-update-server-using-null-bytes-va-12646 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-0677 – Improper Handling of Length Parameter Inconsistency vulnerability in Bitdefender Update Server (VA-10144)
https://notcve.org/view.php?id=CVE-2022-0677
07 Apr 2022 — Improper Handling of Length Parameter Inconsistency vulnerability in the Update Server component of Bitdefender Endpoint Security Tools (in relay role), GravityZone (in Update Server role) allows an attacker to cause a Denial-of-Service. This issue affects: Bitdefender Update Server versions prior to 3.4.0.276. Bitdefender GravityZone versions prior to 26.4-1. Bitdefender Endpoint Security Tools for Linux versions prior to 6.2.21.171. Bitdefender Endpoint Security Tools for Windows versions prior to 7.4.1.1... • https://www.bitdefender.com/support/security-advisories/improper-handling-of-length-parameter-inconsistency-vulnerability-in-bitdefender-update-server-va-10144 • CWE-130: Improper Handling of Length Parameter Inconsistency •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15297
https://notcve.org/view.php?id=CVE-2020-15297
09 Nov 2020 — Insufficient validation in the Bitdefender Update Server and BEST Relay components of Bitdefender Endpoint Security Tools versions prior to 6.6.20.294 allows an unprivileged attacker to bypass the in-place mitigations and interact with hosts on the network. This issue affects: Bitdefender Update Server versions prior to 6.6.20.294. Una comprobación insuficiente en los componentes Bitdefender Update Server y BEST Relay de Bitdefender Endpoint Security Tools versiones anteriores a 6.6.20.294, permite a un ata... • https://www.bitdefender.com/support/security-advisories/server-side-request-forgery-bitdefender-update-server-va-9163 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.8EPSS: 7%CPEs: 1EXPL: 3CVE-2008-0396 – BitDefender Products - Update Server HTTP Daemon Directory Traversal
https://notcve.org/view.php?id=CVE-2008-0396
23 Jan 2008 — Directory traversal vulnerability in BitDefender Update Server (http.exe), as used in BitDefender products including Security for Fileservers and Enterprise Manager (BDEM), allows remote attackers to read arbitrary files via .. (dot dot) sequences in an HTTP request. Vulnerabilidad de salto de directorio en BitDefender Update Server (http.exe), tal y como se utiliza en los productos BitDefender incluyendo Security for Fileservers and Enterprise Manager (BDEM), permite a atacantes remotos leer archivos de su... • https://www.exploit-db.com/exploits/31039 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •