CVE-2020-15297 - OpenCVE

Insufficient validation in the Bitdefender Update Server and BEST Relay components of Bitdefender Endpoint Security Tools versions prior to 6.6.20.294 allows an unprivileged attacker to bypass the in-place mitigations and interact with hosts on the network. This issue affects: Bitdefender Update Server versions prior to 6.6.20.294.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Bitdefender	Update Server

Configuration 1 [-]

cpe:2.3:a:bitdefender:update_server:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.bitdefender.com/support/security-advisories/server-side-request-forgery-bitdefender-update-server-va-9163/

History

No history.

MITRE

Status: PUBLISHED

Assigner: Bitdefender

Published: 2020-11-09T08:25:15.214525Z

Updated: 2024-09-16T17:08:15.114Z

Reserved: 2020-06-25T00:00:00

Link: CVE-2020-15297

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-11-09T09:15:12.137

Modified: 2020-11-24T18:40:22.527

Link: CVE-2020-15297

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Bitdefender Update Server", "vendor": "Bitdefender", "versions": [{"lessThan": "6.6.20.294", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2020-11-02T00:00:00", "descriptions": [{"lang": "en", "value": "Insufficient validation in the Bitdefender Update Server and BEST Relay components of Bitdefender Endpoint Security Tools versions prior to 6.6.20.294 allows an unprivileged attacker to bypass the in-place mitigations and interact with hosts on the network. This issue affects: Bitdefender Update Server versions prior to 6.6.20.294."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-11-09T08:25:15", "orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", "shortName": "Bitdefender"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.bitdefender.com/support/security-advisories/server-side-request-forgery-bitdefender-update-server-va-9163/"}], "solutions": [{"lang": "en", "value": "Version 6.6.20.294 of the Bitdefender Update Server fixes the issue."}], "source": {"advisory": "Server-side request forgery in Bitdefender Update Server (VA-9163)", "defect": ["VA-9163"], "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-requests@bitdefender.com", "DATE_PUBLIC": "2020-11-02T10:00:00.000Z", "ID": "CVE-2020-15297", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Bitdefender Update Server", "version": {"version_data": [{"version_affected": "<", "version_value": "6.6.20.294"}]}}]}, "vendor_name": "Bitdefender"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Insufficient validation in the Bitdefender Update Server and BEST Relay components of Bitdefender Endpoint Security Tools versions prior to 6.6.20.294 allows an unprivileged attacker to bypass the in-place mitigations and interact with hosts on the network. This issue affects: Bitdefender Update Server versions prior to 6.6.20.294."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-918 Server-Side Request Forgery (SSRF)"}]}]}, "references": {"reference_data": [{"name": "https://www.bitdefender.com/support/security-advisories/server-side-request-forgery-bitdefender-update-server-va-9163/", "refsource": "MISC", "url": "https://www.bitdefender.com/support/security-advisories/server-side-request-forgery-bitdefender-update-server-va-9163/"}]}, "solution": [{"lang": "en", "value": "Version 6.6.20.294 of the Bitdefender Update Server fixes the issue."}], "source": {"advisory": "Server-side request forgery in Bitdefender Update Server (VA-9163)", "defect": ["VA-9163"], "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:15:19.042Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.bitdefender.com/support/security-advisories/server-side-request-forgery-bitdefender-update-server-va-9163/"}]}]}, "cveMetadata": {"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", "assignerShortName": "Bitdefender", "cveId": "CVE-2020-15297", "datePublished": "2020-11-09T08:25:15.214525Z", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-09-16T17:08:15.114Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bitdefender:update_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "7C65BE18-D485-44EB-A579-68DC6C05BE4B", "versionEndExcluding": "6.6.20.294", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient validation in the Bitdefender Update Server and BEST Relay components of Bitdefender Endpoint Security Tools versions prior to 6.6.20.294 allows an unprivileged attacker to bypass the in-place mitigations and interact with hosts on the network. This issue affects: Bitdefender Update Server versions prior to 6.6.20.294."}, {"lang": "es", "value": "Una comprobaci\u00f3n insuficiente en los componentes Bitdefender Update Server y BEST Relay de Bitdefender Endpoint Security Tools versiones anteriores a 6.6.20.294, permite a un atacante no privilegiado omitir unas mitigaciones en el sitio e interactuar con los hosts de la red. Este problema afecta: Bitdefender Update Server versiones anteriores a 6.6.20.294"}], "id": "CVE-2020-15297", "lastModified": "2020-11-24T18:40:22.527", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 4.0, "source": "cve-requests@bitdefender.com", "type": "Secondary"}]}, "published": "2020-11-09T09:15:12.137", "references": [{"source": "cve-requests@bitdefender.com", "tags": ["Vendor Advisory"], "url": "https://www.bitdefender.com/support/security-advisories/server-side-request-forgery-bitdefender-update-server-va-9163/"}], "sourceIdentifier": "cve-requests@bitdefender.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "cve-requests@bitdefender.com", "type": "Secondary"}]}