Back

Improper Access Control vulnerability in patchesUpdate API (VA-9825)

Publication date: November 24th, 2021


CVE ID:
CVE-2021-3554
CVSS scrore:
9.0 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected vendors:
Bitdefender
Affected products:
Endpoint Secuirty Tools for Linux
Vulnerability details:

Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches.

This issue affects Bitdefender Endpoint Security Tools for Linux versions prior to 6.6.27.390.

Additional details:
An automatic update to version 6.6.27.390 fixes the issue.
Credit:
Nicolas VERDIER, Cybersecurity Consultant at TEHTRIS