Vulnerability Details CVE-2018-8955
The installer for BitDefender GravityZone relies on an encoded string in a filename to determine the URL for installation metadata, which allows remote attackers to execute arbitrary code by changing the filename while leaving the file's digital signature unchanged.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.053
EPSS Ranking 89.5%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://packetstormsecurity.com/files/149900/Bitdefender-GravityZone-Installer-Signature-Bypass-Code-Execution.html
- http://seclists.org/fulldisclosure/2018/Oct/44
- http://www.securitytracker.com/id/1041940
- https://labs.nettitude.com/blog/cve-2018-8955-bitdefender-gravityzone-arbitrary-code-execution/
- http://packetstormsecurity.com/files/149900/Bitdefender-GravityZone-Installer-Signature-Bypass-Code-Execution.html
- http://seclists.org/fulldisclosure/2018/Oct/44
- http://www.securitytracker.com/id/1041940
- https://labs.nettitude.com/blog/cve-2018-8955-bitdefender-gravityzone-arbitrary-code-execution/
Products affected by CVE-2018-8955
-
cpe:2.3:a:bitdefender:gravityzone:-