Back

Server-Side Request Forgery in EPPUpdateService remote config file (VA-9825)

Publication date: November 24th, 2021


CVE ID:
CVE-2021-3553
CVSS scrore:
5.3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Affected vendors:
Bitdefender
Affected products:
Endpoint Security Tools
Vulnerability details:

A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService of Bitdefender Endpoint Security Tools allows an attacker to use the Endpoint Protection relay as a proxy for any remote host. This issue affects Bitdefender Endpoint Security Tools versions prior to 6.6.27.390.

Additional details:
An automatic update to version 6.6.27.390 fixes the issue.
Credit:
Nicolas VERDIER, Cybersecurity Consultant at TEHTRIS