CVE-2019-17102 · CVEKit

cve.orgen

391 chars

An exploitable command execution vulnerability exists in the recovery partition of Bitdefender BOX 2, version 2.0.1.91. The API method `/api/update_setup` does not perform firmware signature checks atomically, leading to an exploitable race condition (TOCTTOU) that allows arbitrary execution of system commands. This issue affects: Bitdefender Bitdefender BOX 2 versions prior to 2.1.47.36.

NVDen

391 chars

An exploitable command execution vulnerability exists in the recovery partition of Bitdefender BOX 2, version 2.0.1.91. The API method `/api/update_setup` does not perform firmware signature checks atomically, leading to an exploitable race condition (TOCTTOU) that allows arbitrary execution of system commands. This issue affects: Bitdefender Bitdefender BOX 2 versions prior to 2.1.47.36.

NVDes

471 chars

Se presenta una vulnerabilidad de ejecución de comando explotable en la partición de recuperación de Bitdefender BOX 2, versión 2.0.1.91. El método "/api/update_setup" de la API no realiza comprobaciones de firma de firmware automáticamente, lo que conlleva a una condición de carrera explotable (TOCTTOU) lo que permite una ejecución arbitraria de comandos de sistema. Este problema afecta a: Bitdefender Bitdefender BOX 2 versiones anteriores versiones hasta 2.1.47.36.

CVSS metrics across sources

5

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	9.3	8.6	10.0	AV:N/AC:M/Au:N/C:C/I:C/A:C
3.1	Primary	cve.org	8.3	—	—	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H