{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-6980","assignerOrgId":"b3d5ebe7-963e-41fb-98e1-2edaeabb8f82","state":"PUBLISHED","assignerShortName":"Bitdefender","dateReserved":"2024-07-22T13:28:52.325Z","datePublished":"2024-07-31T06:58:44.781Z","dateUpdated":"2024-07-31T14:25:18.592Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"GravityZone Update Server","vendor":"Bitdefender","versions":[{"lessThan":"6.38.1-5","status":"affected","version":"0","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"Nicolas VERDIER -- n1nj4sec"}],"datePublic":"2024-07-31T06:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"A verbose error handling issue in the proxy service implemented in the GravityZone Update Server allows an attacker to cause a server-side request forgery. This issue only affects GravityZone Console versions before 6.38.1-5 running only on premise.
"}],"value":"A verbose error handling issue in the proxy service implemented in the GravityZone Update Server allows an attacker to cause a server-side request forgery. This issue only affects GravityZone Console versions before 6.38.1-5 running only on premise."}],"impacts":[{"capecId":"CAPEC-34","descriptions":[{"lang":"en","value":"CAPEC-34 HTTP Response Splitting"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"HIGH","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":9.2,"baseSeverity":"CRITICAL","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-209","description":"CWE-209: Generation of Error Message Containing Sensitive Information","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"b3d5ebe7-963e-41fb-98e1-2edaeabb8f82","shortName":"Bitdefender","dateUpdated":"2024-07-31T06:58:44.781Z"},"references":[{"url":"https://www.bitdefender.com/consumer/support/support/security-advisories/verbose-error-handling-issue-in-gravityzone-update-server-proxy-service/"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"An automatic update to product version 6.38.1-5 fixes the issue."}],"value":"An automatic update to product version 6.38.1-5 fixes the issue."}],"source":{"discovery":"EXTERNAL"},"title":"Verbose error handling issue in GravityZone Update Server proxy service","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"affected":[{"vendor":"bitdefender","product":"gravityzone","cpes":["cpe:2.3:a:bitdefender:gravityzone:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0","status":"affected","lessThan":"6.38.1-5","versionType":"custom"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-07-31T13:53:41.601484Z","id":"CVE-2024-6980","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-07-31T14:25:18.592Z"}}]}}