1. Home
  2. CVE Database
  3. CVE-2019-17102
HIGH · 8.3

CVE-2019-17102

An exploitable command execution vulnerability exists in the recovery partition of Bitdefender BOX 2, version 2.0.1.91. The API method `/api/update_setup` does not perform firmware signature checks at...

Vulnerability Description

An exploitable command execution vulnerability exists in the recovery partition of Bitdefender BOX 2, version 2.0.1.91. The API method `/api/update_setup` does not perform firmware signature checks atomically, leading to an exploitable race condition (TOCTTOU) that allows arbitrary execution of system commands. This issue affects: Bitdefender Bitdefender BOX 2 versions prior to 2.1.47.36.

CVSS Score

8.3

HIGH

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
ADJACENT_NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
BitdefenderBox 2 Firmware< 2.1.47.36
BitdefenderBox 2-

Related Weaknesses (CWE)

CWE-367CWE-413

References

FAQ

What is CVE-2019-17102?

CVE-2019-17102 is a vulnerability with a CVSS score of 8.3 (HIGH). An exploitable command execution vulnerability exists in the recovery partition of Bitdefender BOX 2, version 2.0.1.91. The API method `/api/update_setup` does not perform firmware signature checks at...

How severe is CVE-2019-17102?

CVE-2019-17102 has been rated HIGH with a CVSS base score of 8.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-17102?

Check the references section above for vendor advisories and patch information. Affected products include: Bitdefender Box 2 Firmware, Bitdefender Box 2.