Unrated severityNVD Advisory· Published Jan 27, 2020· Updated Sep 17, 2024
Bitdefender BOX 2 bootstrap download_image command injection vulnerability
CVE-2019-17095
Description
A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method /api/download_image unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. In order to exploit the condition, an unauthenticated attacker should impersonate a infrastructure server to trigger this vulnerability.
Affected products
2- Range: 2.1.47.42, 2.1.53.45
- Range: 2.1.47.42
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.