Details of VAR-202001-0280

ID

VAR-202001-0280

CVE

CVE-2019-17096

TITLE

Bitdefender BOX 2 In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-014397

DESCRIPTION

A OS Command Injection vulnerability in the bootstrap stage of Bitdefender BOX 2 allows the manipulation of the `get_image_url()` function in special circumstances to inject a system command. Bitdefender BOX is a smart home security control device from Bitdefender in Romania. The vulnerability stems from the fact that the network system or product did not properly filter the special characters, commands, etc. during the process of constructing the executable command of the operating system by external input data. An attacker could use this vulnerability to execute illegal operating system commands

Trust: 2.25

sources: NVD: CVE-2019-17096 // JVNDB: JVNDB-2019-014397 // CNVD: CNVD-2020-04934 // VULMON: CVE-2019-17096

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-04934

AFFECTED PRODUCTS

vendor:	bitdefender	model:	box 2	scope:	eq	version:	-	Trust: 1.0
vendor:	bitdefender	model:	central	scope:	lt	version:	2.0.66.88	Trust: 1.0
vendor:	bitdefender	model:	central	scope:	lt	version:	2.0.66	Trust: 1.0
vendor:	bitdefender	model:	central	scope:	-	version:	-	Trust: 0.8
vendor:	bitdefender	model:	box 2	scope:	-	version:	-	Trust: 0.8
vendor:	bitdefender	model:	box	scope:	eq	version:	2	Trust: 0.6

sources: CNVD: CNVD-2020-04934 // JVNDB: JVNDB-2019-014397 // NVD: CVE-2019-17096

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-17096
value:	CRITICAL
Trust: 1.0
cve-requests@bitdefender.com:	CVE-2019-17096
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2019-17096
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2020-04934
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202001-1168
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2019-17096
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-17096
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2020-04934
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-17096
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
cve-requests@bitdefender.com:	CVE-2019-17096
baseSeverity:	CRITICAL
baseScore:	9.0
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.2
impactScore:	6.0
version:	3.1
Trust: 1.0
NVD:	CVE-2019-17096
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-04934 // VULMON: CVE-2019-17096 // JVNDB: JVNDB-2019-014397 // CNNVD: CNNVD-202001-1168 // NVD: CVE-2019-17096 // NVD: CVE-2019-17096

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	OS Command injection (CWE-78) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2019-014397 // NVD: CVE-2019-17096

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202001-1168

PATCH

title:	Bitdefender BOX 2 bootstrap get_image_size command injection vulnerability	url:	https://www.bitdefender.com/support/security-advisories/bitdefender-box-2-bootstrap-get_image_size-command-injection-vulnerability/	Trust: 0.8
title:	Patch for Bitdefender BOX 2 operating system command injection vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/200375	Trust: 0.6
title:	Bitdefender BOX 2 Fixes for operating system command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=107563	Trust: 0.6

sources: CNVD: CNVD-2020-04934 // JVNDB: JVNDB-2019-014397 // CNNVD: CNNVD-202001-1168

EXTERNAL IDS

db:	NVD	id:	CVE-2019-17096	Trust: 3.1
db:	JVNDB	id:	JVNDB-2019-014397	Trust: 0.8
db:	CNVD	id:	CNVD-2020-04934	Trust: 0.6
db:	CNNVD	id:	CNNVD-202001-1168	Trust: 0.6
db:	VULMON	id:	CVE-2019-17096	Trust: 0.1

sources: CNVD: CNVD-2020-04934 // VULMON: CVE-2019-17096 // JVNDB: JVNDB-2019-014397 // CNNVD: CNNVD-202001-1168 // NVD: CVE-2019-17096

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2019-17096	Trust: 2.0
url:	https://www.bitdefender.com/support/security-advisories/bitdefender-box-2-bootstrap-get_image_size-command-injection-vulnerability/	Trust: 1.7
url:	https://cwe.mitre.org/data/definitions/78.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/175163	Trust: 0.1

sources: CNVD: CNVD-2020-04934 // VULMON: CVE-2019-17096 // JVNDB: JVNDB-2019-014397 // CNNVD: CNNVD-202001-1168 // NVD: CVE-2019-17096

SOURCES

db:	CNVD	id:	CNVD-2020-04934
db:	VULMON	id:	CVE-2019-17096
db:	JVNDB	id:	JVNDB-2019-014397
db:	CNNVD	id:	CNNVD-202001-1168
db:	NVD	id:	CVE-2019-17096

LAST UPDATE DATE

2024-11-23T23:11:35.808000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-04934	date:	2020-02-13T00:00:00
db:	VULMON	id:	CVE-2019-17096	date:	2020-01-31T00:00:00
db:	JVNDB	id:	JVNDB-2019-014397	date:	2020-02-14T00:00:00
db:	CNNVD	id:	CNNVD-202001-1168	date:	2020-05-21T00:00:00
db:	NVD	id:	CVE-2019-17096	date:	2024-11-21T04:31:41.107

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-04934	date:	2020-02-13T00:00:00
db:	VULMON	id:	CVE-2019-17096	date:	2020-01-27T00:00:00
db:	JVNDB	id:	JVNDB-2019-014397	date:	2020-02-14T00:00:00
db:	CNNVD	id:	CNNVD-202001-1168	date:	2020-01-27T00:00:00
db:	NVD	id:	CVE-2019-17096	date:	2020-01-27T17:15:12.073