A vulnerability has been identified in Bitdefender Total Security HTTPS scanning functionality where the software trusts a certificate issued by an entity that isn't authorized to issue certificates. This occurs when the "Basic Constraints" extension in the certificate indicates that it is meant to be an "End Entity”. This flaw could allow an attacker to perform a Man-in-the-Middle (MITM) attack, intercepting and potentially altering communications between the user and the website.
History

Tue, 22 Oct 2024 16:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}


Fri, 18 Oct 2024 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Bitdefender
Bitdefender total Security
CPEs cpe:2.3:a:bitdefender:total_security:*:*:*:*:*:*:*:*
Vendors & Products Bitdefender
Bitdefender total Security
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 18 Oct 2024 08:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been identified in Bitdefender Total Security HTTPS scanning functionality where the software trusts a certificate issued by an entity that isn't authorized to issue certificates. This occurs when the "Basic Constraints" extension in the certificate indicates that it is meant to be an "End Entity”. This flaw could allow an attacker to perform a Man-in-the-Middle (MITM) attack, intercepting and potentially altering communications between the user and the website.
Title Insecure Trust of Basic Constraints certificate in Bitdefender Total Security HTTPS Scanning (VA-11210)
Weaknesses CWE-295
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Bitdefender

Published: 2024-10-18T08:07:18.810Z

Updated: 2024-10-18T14:55:36.752Z

Reserved: 2023-11-27T14:21:51.157Z

Link: CVE-2023-49570

cve-icon Vulnrichment

Updated: 2024-10-18T14:55:29.411Z

cve-icon NVD

Status : Analyzed

Published: 2024-10-18T09:15:02.770

Modified: 2024-10-22T16:26:47.317

Link: CVE-2023-49570

cve-icon Redhat

No data.