CVE-2019-17095 HIGH

CVE-2019-17095: Bitdefender BOX 2 bootstrap download_image command injection vulnerability

Vendor Bitdefender

Product Bitdefender BOX 2

Weakness CWE-78

Published January 27, 2020

Last update September 17, 2024

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Local

Attack complexity High

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method `/api/download_image` unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. In order to exploit the condition, an unauthenticated attacker should impersonate a infrastructure server to trigger this vulnerability.

Key dates

02Disclosure timeline

January 27, 2020 CVE published

September 17, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2019-17095 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

Identifiers

CVE CVE-2019-17095

CWE CWE-78

CVSS 8.1 / HIGH

Affected versions

Vendor Bitdefender

Product Bitdefender BOX 2

Affected ≥ 2.1.47.42 and < 2.1.59-12

Vendor Bitdefender

Product Bitdefender BOX 2

Affected ≥ 2.1.53.45 and < 2.1.59-12

CVE-2019-17095: Bitdefender BOX 2 bootstrap download_image command injection vulnerability

01Description

02Disclosure timeline

03References

04Related CVE