CVE-2019-17095
8.1
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method /api/download_image unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. In order to exploit the condition, an unauthenticated attacker should impersonate a infrastructure server to trigger this vulnerability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Bitdefender | Bitdefender BOX 2 | 2.1.47.42 < 2.1.59-12 | affected |
| Bitdefender | Bitdefender BOX 2 | 2.1.53.45 < 2.1.59-12 | affected |
Weaknesses
- CWE-78: CWE-78 OS Command Injection
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.