CVE-2024-6980 - OpenCVE

A verbose error handling issue in the proxy service implemented in the GravityZone Update Server allows an attacker to cause a server-side request forgery. This issue only affects GravityZone Console versions before 6.38.1-5 running only on premise.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Bitdefender	Gravityzone

No data.

No data.

References

Link	Providers
https://www.bitdefender.com/consumer/support/support/security-advisories/verbose-error-handling-issue-in-gravityzone-update-server-proxy-service/

History

No history.

MITRE

Status: PUBLISHED

Assigner: Bitdefender

Published: 2024-07-31T06:58:44.781Z

Updated: 2024-07-31T14:25:18.592Z

Reserved: 2024-07-22T13:28:52.325Z

Link: CVE-2024-6980

Vulnrichment

Updated: 2024-07-31T14:25:08.517Z

NVD

Status : Awaiting Analysis

Published: 2024-07-31T07:15:02.053

Modified: 2024-07-31T12:57:02.300

Link: CVE-2024-6980

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6980", "assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", "state": "PUBLISHED", "assignerShortName": "Bitdefender", "dateReserved": "2024-07-22T13:28:52.325Z", "datePublished": "2024-07-31T06:58:44.781Z", "dateUpdated": "2024-07-31T14:25:18.592Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "GravityZone Update Server", "vendor": "Bitdefender", "versions": [{"lessThan": "6.38.1-5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nicolas VERDIER -- n1nj4sec"}], "datePublic": "2024-07-31T06:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgba(232, 232, 232, 0.04);\"><span style=\"background-color: rgba(232, 232, 232, 0.04);\">A verbose error handling issue in the proxy service implemented in the GravityZone Update Server allows an attacker to cause a server-side request forgery. </span>This issue only affects GravityZone Console versions before 6.38.1-5 running only on premise.</span><br>"}], "value": "A verbose error handling issue in the proxy service implemented in the GravityZone Update Server allows an attacker to cause a server-side request forgery.\u00a0This issue only affects GravityZone Console versions before 6.38.1-5\u00a0running only on premise."}], "impacts": [{"capecId": "CAPEC-34", "descriptions": [{"lang": "en", "value": "CAPEC-34 HTTP Response Splitting"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.2, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "CWE-209: Generation of Error Message Containing Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", "shortName": "Bitdefender", "dateUpdated": "2024-07-31T06:58:44.781Z"}, "references": [{"url": "https://www.bitdefender.com/consumer/support/support/security-advisories/verbose-error-handling-issue-in-gravityzone-update-server-proxy-service/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An automatic update to product version 6.38.1-5 fixes the issue."}], "value": "An automatic update to product version\u00a06.38.1-5 fixes the issue."}], "source": {"discovery": "EXTERNAL"}, "title": "Verbose error handling issue in GravityZone Update Server proxy service", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "bitdefender", "product": "gravityzone", "cpes": ["cpe:2.3:a:bitdefender:gravityzone:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "6.38.1-5", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-31T13:53:41.601484Z", "id": "CVE-2024-6980", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-31T14:25:18.592Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6980", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-31T13:53:41.601484Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:bitdefender:gravityzone:*:*:*:*:*:*:*:*"], "vendor": "bitdefender", "product": "gravityzone", "versions": [{"status": "affected", "version": "0", "lessThan": "6.38.1-5", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-31T14:25:08.517Z"}}], "cna": {"title": "Verbose error handling issue in GravityZone Update Server proxy service", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Nicolas VERDIER -- n1nj4sec"}], "impacts": [{"capecId": "CAPEC-34", "descriptions": [{"lang": "en", "value": "CAPEC-34 HTTP Response Splitting"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Bitdefender", "product": "GravityZone Update Server", "versions": [{"status": "affected", "version": "0", "lessThan": "6.38.1-5", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "An automatic update to product version\u00a06.38.1-5 fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "An automatic update to product version 6.38.1-5 fixes the issue.", "base64": false}]}], "datePublic": "2024-07-31T06:00:00.000Z", "references": [{"url": "https://www.bitdefender.com/consumer/support/support/security-advisories/verbose-error-handling-issue-in-gravityzone-update-server-proxy-service/"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A verbose error handling issue in the proxy service implemented in the GravityZone Update Server allows an attacker to cause a server-side request forgery.\u00a0This issue only affects GravityZone Console versions before 6.38.1-5\u00a0running only on premise.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgba(232, 232, 232, 0.04);\"><span style=\"background-color: rgba(232, 232, 232, 0.04);\">A verbose error handling issue in the proxy service implemented in the GravityZone Update Server allows an attacker to cause a server-side request forgery. </span>This issue only affects GravityZone Console versions before 6.38.1-5 running only on premise.</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-209", "description": "CWE-209: Generation of Error Message Containing Sensitive Information"}]}], "providerMetadata": {"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", "shortName": "Bitdefender", "dateUpdated": "2024-07-31T06:58:44.781Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6980", "state": "PUBLISHED", "dateUpdated": "2024-07-31T14:25:18.592Z", "dateReserved": "2024-07-22T13:28:52.325Z", "assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", "datePublished": "2024-07-31T06:58:44.781Z", "assignerShortName": "Bitdefender"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A verbose error handling issue in the proxy service implemented in the GravityZone Update Server allows an attacker to cause a server-side request forgery.\u00a0This issue only affects GravityZone Console versions before 6.38.1-5\u00a0running only on premise."}, {"lang": "es", "value": " Un problema detallado de manejo de errores en el servicio proxy implementado en GravityZone Update Server permite a un atacante provocar server-side request forgery. Este problema solo afecta a las versiones de GravityZone Console anteriores a 6.38.1-5 que se ejecutan solo en las instalaciones."}], "id": "CVE-2024-6980", "lastModified": "2024-07-31T12:57:02.300", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "cve-requests@bitdefender.com", "type": "Secondary"}]}, "published": "2024-07-31T07:15:02.053", "references": [{"source": "cve-requests@bitdefender.com", "url": "https://www.bitdefender.com/consumer/support/support/security-advisories/verbose-error-handling-issue-in-gravityzone-update-server-proxy-service/"}], "sourceIdentifier": "cve-requests@bitdefender.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "cve-requests@bitdefender.com", "type": "Primary"}]}