Privilege Escalation via the GravityZone productManager UpdateServer.KitsManager API (VA-10146)
CVE-2021-3960

7.1HIGH

Key Information:

Vendor: Bitdefender
Status: Gravityzone
Vendor: CVE Published:; 1 December 2021

🔔 Create Bitdefender Vulnerability Alert

What is CVE-2021-3960?

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects Bitdefender GravityZone versions prior to 3.3.8.272

Affected Version(s)

GravityZone < 3.3.8.272

References

https://www.bitdefender.com/support/security-advisories/p...

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 1, 2021
Vulnerability Reserved
Nov 15, 2021

Credit

Nicolas Verdier, independent security researcher

JSON