CVE-2024-2224: 
Bitdefender Endpoint Security Tools vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2024-2224) was discovered in the UpdateServer component of Bitdefender GravityZone. The vulnerability affects multiple Bitdefender products including Endpoint Security for Linux (version 7.0.5.200089), Endpoint Security for Windows (version 7.9.9.380), and GravityZone Control Center On Premises (version 6.36.1). The vulnerability was disclosed on April 9th, 2024 (Bitdefender Advisory).

The vulnerability is classified as an Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) issue, identified as CWE-22. The CVSS v3.1 base score is 9.8 (Critical) according to NIST's assessment (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), while Bitdefender rated it with a score of 8.1 (High) (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability allows an attacker to execute arbitrary code on vulnerable instances of the affected Bitdefender products. This could potentially lead to complete system compromise given the critical nature of the CVSS score (Bitdefender Advisory).

Bitdefender has released automatic updates to address the vulnerability. The fixed versions are: Endpoint Security for Linux version 7.0.5.200090, Endpoint Security for Windows version 7.9.9.381, and GravityZone Control Center (On Premises) version 6.36.1-1. Additionally, an update to version 3.4.2.556 of the UpdateServer component fixes the issue (Bitdefender Advisory).