#VU22594 Input validation error in Bitdefender BOX - CVE-2019-12612
Published: November 7, 2019
Vulnerability identifier: #VU22594
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-12612
CWE-ID: CWE-20
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Bitdefender BOX
Bitdefender BOX
Software vendor:
Bitdefender
Bitdefender
Description
The vulnerability allows a local user to execute arbitrary code to the target system.
The vulnerability exists due to insufficient validation of user-supplied input. A local authenticated administrator can pass arbitrary code to the BOX appliance via the web API.
In order to exploit this vulnerability, an attacker needs presence in Bitdefender BOX setup network and Bitdefender BOX be in setup mode.
Remediation
Install updates from vendor's website.