cbcvebase.
CVE-2014-5350
published 2014-08-19

CVE-2014-5350: Multiple directory traversal vulnerabilities in Bitdefender GravityZone before 5.1.11.432 allow remote attackers to read arbitrary files via a (1) .. (dot dot)…

PriorityP354medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
63.89%
99.1th percentile
Multiple directory traversal vulnerabilities in Bitdefender GravityZone before 5.1.11.432 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the id parameter to webservice/CORE/downloadFullKitEpc/a/1 in the Web Console or (2) %2E%2E (encoded dot dot) in the default URI to port 7074 on the Update Server.

Affected

1 ranges
VendorProductVersion rangeFixed in
bitdefendergravityzone<= 5.1.5.386

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://<host>/webservice/CORE/downloadFullKitEpc/a/1?id=../../../../../etc/passwd
path/webservice/CORE/downloadFullKitEpc/a/1
path/webservice/CORE/downloadSignedCsr
commandGET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
port7074
port27017
port28017
  • Detect directory traversal attempts against the Web Console endpoint by monitoring HTTP requests to /webservice/CORE/downloadFullKitEpc/a/1 with 'id' parameter values containing '../' or encoded equivalents ('%2e%2e', '%2E%2E').
  • Detect directory traversal attempts against the Update Server on TCP port 7074 by monitoring HTTP GET requests with URL-encoded dot-dot sequences (%2e%2e or %2E%2E) in the URI path.
  • Monitor for unauthenticated HTTP requests to /webservice/CORE/downloadSignedCsr, which allows unauthenticated certificate upload without prior authentication.
  • Alert on any network connections to TCP ports 27017 and 28017 (MongoDB) from external/untrusted hosts, as the service is exposed by default with hardcoded credentials that cannot be changed.
  • Flag HTTP requests where the process serving the response is 'nginx', as file disclosure occurs with the privileges of the nginx OS user, indicating successful exploitation.
  • ·MongoDB is exposed on the network by default with hardcoded credentials that cannot be changed; firewall rules must be applied as a mitigation since the credentials themselves are not configurable.
  • ·The Update Server on port 7074 is vulnerable to path traversal independently of the Web Console; both components must be patched/mitigated separately.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.