A vulnerability has been identified in Bitdefender Safepay's handling of HTTPS connections. The issue arises when the product blocks a connection due to an untrusted server certificate but allows the user to add the site to exceptions, resulting in the product trusting the certificate for subsequent HTTPS scans. This vulnerability allows an attacker to perform a Man-in-the-Middle (MITM) attack by using a self-signed certificate, which the product will trust after the site has been added to exceptions. This can lead to the interception and potential alteration of secure communications.
History

Tue, 22 Oct 2024 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}


Fri, 18 Oct 2024 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Bitdefender
Bitdefender total Security
CPEs cpe:2.3:a:bitdefender:total_security:*:*:*:*:*:*:*:*
Vendors & Products Bitdefender
Bitdefender total Security
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 18 Oct 2024 08:00:00 +0000

Type Values Removed Values Added
Description A vulnerability has been identified in Bitdefender Safepay's handling of HTTPS connections. The issue arises when the product blocks a connection due to an untrusted server certificate but allows the user to add the site to exceptions, resulting in the product trusting the certificate for subsequent HTTPS scans. This vulnerability allows an attacker to perform a Man-in-the-Middle (MITM) attack by using a self-signed certificate, which the product will trust after the site has been added to exceptions. This can lead to the interception and potential alteration of secure communications.
Title HTTPS Certificate Validation Issue in Bitdefender Safepay (VA-11167)
Weaknesses CWE-295
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Bitdefender

Published: 2024-10-18T07:52:08.678Z

Updated: 2024-10-18T15:26:30.132Z

Reserved: 2023-11-09T14:17:13.316Z

Link: CVE-2023-6058

cve-icon Vulnrichment

Updated: 2024-10-18T15:26:25.809Z

cve-icon NVD

Status : Analyzed

Published: 2024-10-18T08:15:03.737

Modified: 2024-10-22T16:00:05.110

Link: CVE-2023-6058

cve-icon Redhat

No data.