VYPR
Unrated severityNVD Advisory· Published Jan 27, 2020· Updated Sep 17, 2024

Bitdefender BOX 2 bootstrap download_image command injection vulnerability

CVE-2019-17095

Description

A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method /api/download_image unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. In order to exploit the condition, an unauthenticated attacker should impersonate a infrastructure server to trigger this vulnerability.

Affected products

2

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.