CVE-2014-5350

Name of the Vulnerable Software and Affected Versions Bitdefender GravityZone versions prior to 5.1.11.432

Description The issue allows remote attackers to read arbitrary files due to multiple directory traversal vulnerabilities. This can be achieved through the Web Console by using a .. (dot dot) in the id parameter to the "webservice/CORE/downloadFullKitEpc/a/1" endpoint, or by using %2E%2E (encoded dot dot) in the default URI to port 7074 on the Update Server.

Recommendations For versions prior to 5.1.11.432, update to version 5.1.11.432 or later to resolve the issue. As a temporary workaround, consider restricting access to the "webservice/CORE/downloadFullKitEpc/a/1" endpoint and the Update Server on port 7074 to minimize the risk of exploitation. Avoid using the id parameter in the affected endpoint until the issue is resolved.