Back

Improper Access Control vulnerability in patchesUpdate API (VA-9825)

Publication date: November 24th, 2021

CVE ID:

CVE-2021-3554

CVSS scrore:

9.0 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected vendors:

Bitdefender

Affected products:

Endpoint Secuirty Tools for Linux

Vulnerability details:

Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches.

This issue affects Bitdefender Endpoint Security Tools for Linux versions prior to 6.6.27.390.

Additional details:

An automatic update to version 6.6.27.390 fixes the issue.

Credit:

Nicolas VERDIER, Cybersecurity Consultant at TEHTRIS