Vulnerability Description
The installer for BitDefender GravityZone relies on an encoded string in a filename to determine the URL for installation metadata, which allows remote attackers to execute arbitrary code by changing the filename while leaving the file's digital signature unchanged.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitdefender | Gravityzone | - |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/149900/Bitdefender-GravityZone-Installer-SiThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2018/Oct/44Mailing ListThird Party Advisory
- http://www.securitytracker.com/id/1041940Third Party AdvisoryVDB Entry
- https://labs.nettitude.com/blog/cve-2018-8955-bitdefender-gravityzone-arbitrary-ExploitThird Party Advisory
- http://packetstormsecurity.com/files/149900/Bitdefender-GravityZone-Installer-SiThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2018/Oct/44Mailing ListThird Party Advisory
- http://www.securitytracker.com/id/1041940Third Party AdvisoryVDB Entry
- https://labs.nettitude.com/blog/cve-2018-8955-bitdefender-gravityzone-arbitrary-ExploitThird Party Advisory
FAQ
What is CVE-2018-8955?
CVE-2018-8955 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The installer for BitDefender GravityZone relies on an encoded string in a filename to determine the URL for installation metadata, which allows remote attackers to execute arbitrary code by changing ...
How severe is CVE-2018-8955?
CVE-2018-8955 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-8955?
Check the references section above for vendor advisories and patch information. Affected products include: Bitdefender Gravityzone.