CVE-2014-5350
published 2014-08-19CVE-2014-5350: Multiple directory traversal vulnerabilities in Bitdefender GravityZone before 5.1.11.432 allow remote attackers to read arbitrary files via a (1) .. (dot dot)…
PriorityP354medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
63.89%
99.1th percentile
Multiple directory traversal vulnerabilities in Bitdefender GravityZone before 5.1.11.432 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the id parameter to webservice/CORE/downloadFullKitEpc/a/1 in the Web Console or (2) %2E%2E (encoded dot dot) in the default URI to port 7074 on the Update Server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bitdefender | gravityzone | <= 5.1.5.386 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect directory traversal attempts against the Web Console endpoint by monitoring HTTP requests to /webservice/CORE/downloadFullKitEpc/a/1 with 'id' parameter values containing '../' or encoded equivalents ('%2e%2e', '%2E%2E'). ↗
- →Detect directory traversal attempts against the Update Server on TCP port 7074 by monitoring HTTP GET requests with URL-encoded dot-dot sequences (%2e%2e or %2E%2E) in the URI path. ↗
- →Monitor for unauthenticated HTTP requests to /webservice/CORE/downloadSignedCsr, which allows unauthenticated certificate upload without prior authentication. ↗
- →Alert on any network connections to TCP ports 27017 and 28017 (MongoDB) from external/untrusted hosts, as the service is exposed by default with hardcoded credentials that cannot be changed. ↗
- →Flag HTTP requests where the process serving the response is 'nginx', as file disclosure occurs with the privileges of the nginx OS user, indicating successful exploitation. ↗
- ·MongoDB is exposed on the network by default with hardcoded credentials that cannot be changed; firewall rules must be applied as a mitigation since the credentials themselves are not configurable. ↗
- ·The Update Server on port 7074 is vulnerable to path traversal independently of the Web Console; both components must be patched/mitigated separately. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2014/Jul/78http://www.bitdefender.com/support/how-to-configure-iptables-firewall-rules-on-gravityzone-for-restricting-outside-access-to-mongodatabase-1265.htmlhttps://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140716-3_Bitdefender_GravityZone_Multiple_critical_vulnerabilities_v10.txthttp://seclists.org/fulldisclosure/2014/Jul/78http://www.bitdefender.com/support/how-to-configure-iptables-firewall-rules-on-gravityzone-for-restricting-outside-access-to-mongodatabase-1265.htmlhttps://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140716-3_Bitdefender_GravityZone_Multiple_critical_vulnerabilities_v10.txt
2014-08-19
Published