// For flags

CVE-2023-49570

Insecure Trust of Basic Constraints certificate in Bitdefender Total Security HTTPS Scanning (VA-11210)

Severity Score

8.6
*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

A vulnerability has been identified in Bitdefender Total Security HTTPS scanning functionality where the software trusts a certificate issued by an entity that isn't authorized to issue certificates. This occurs when the "Basic Constraints" extension in the certificate indicates that it is meant to be an "End Entity”. This flaw could allow an attacker to perform a Man-in-the-Middle (MITM) attack, intercepting and potentially altering communications between the user and the website.

Se ha identificado una vulnerabilidad en la función de análisis HTTPS de Bitdefender Total Security, en la que el software confía en un certificado emitido por una entidad que no está autorizada a emitir certificados. Esto ocurre cuando la extensión "Basic Constraints" del certificado indica que está destinado a ser una "Entidad final". Esta falla podría permitir a un atacante realizar un ataque Man-in-the-Middle (MITM), interceptando y potencialmente alterando las comunicaciones entre el usuario y el sitio web.

*Credits: N/A
CVSS Scores
Attack Vector
Adjacent
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
Active
System
Vulnerable | Subsequent
Confidentiality
High
High
Integrity
High
High
Availability
None
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2023-11-27 CVE Reserved
  • 2024-10-18 CVE Published
  • 2024-10-18 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-295: Improper Certificate Validation
CAPEC
  • CAPEC-94: Adversary in the Middle (AiTM)
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Bitdefender
Search vendor "Bitdefender"
 Total Security
Search vendor "Bitdefender" for product "Total Security"
*-
Affected