CVE-2019-17102

Опубликовано: 27 янв. 2020

Источник: nvd

CVSS3: 8.3

CVSS3: 8.1

CVSS2: 9.3

EPSS Низкий

Описание

An exploitable command execution vulnerability exists in the recovery partition of Bitdefender BOX 2, version 2.0.1.91. The API method /api/update_setup does not perform firmware signature checks atomically, leading to an exploitable race condition (TOCTTOU) that allows arbitrary execution of system commands. This issue affects: Bitdefender Bitdefender BOX 2 versions prior to 2.1.47.36.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:bitdefender:box_2_firmware:*:*:*:*:*:*:*:*

Версия до 2.1.47.36 (исключая)

cpe:2.3:h:bitdefender:box_2:-:*:*:*:*:*:*:*

EPSS

Процентиль: 56%

0.00339

Низкий

8.3 High

CVSS3

8.1 High

CVSS3

9.3 Critical

CVSS2

Дефекты

CWE-413

CWE-367

Связанные уязвимости

GHSA-j5g5-24v2-cpf4

github

больше 3 лет назад

An exploitable command execution vulnerability exists in the recovery partition of Bitdefender BOX 2, version 2.0.1.91. The API method `/api/update_setup` does not perform firmware signature checks atomically, leading to an exploitable race condition (TOCTTOU) that allows arbitrary execution of system commands. This issue affects: Bitdefender Bitdefender BOX 2 versions prior to 2.1.47.36.

EPSS

Процентиль: 56%

0.00339

Низкий

8.3 High

CVSS3

8.1 High

CVSS3

9.3 Critical

CVSS2

Дефекты

CWE-413

CWE-367