Back

Server-Side Request Forgery in Bitdefender GravityZone Update Server in Relay Mode (VA-10145)

Publication date: December 16th, 2021


CVE ID:
CVE-2021-3959
CVSS scrore:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Affected vendors:
Bitdefender
Affected products:
GravityZone
Vulnerability details:

A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService component of Bitdefender Endpoint Security Tools allows an attacker to proxy requests to the relay server. This issue affects Bitdefender GravityZone versions prior to 3.3.8.

Additional details:
An automatic update to version 3.3.8 fixes the issue.
Credit:
Nicolas Verdier, independent security researcher