Back

Server-Side Request Forgery in Bitdefender GravityZone Update Server in Relay Mode (VA-10145)

Publication date: December 16th, 2021

CVE ID:

CVE-2021-3959

CVSS scrore:

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Affected vendors:

Bitdefender

Affected products:

GravityZone

Vulnerability details:

A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService component of Bitdefender Endpoint Security Tools allows an attacker to proxy requests to the relay server. This issue affects Bitdefender GravityZone versions prior to 3.3.8.

Additional details:

An automatic update to version 3.3.8 fixes the issue.

Credit:

Nicolas Verdier, independent security researcher