Privilege Escalation via the GravityZone productManager UpdateServer.KitsManager API (VA-10146)
Publication date: December 16th, 2021
7.1 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects Bitdefender GravityZone versions prior to 188.8.131.522.
An automatic update to Bitdefender GravityZone version 184.108.40.2062 fixes the issue.
Nicolas Verdier, independent security researcher