CVE-2023-49570

A vulnerability has been identified in Bitdefender Total Security HTTPS scanning functionality where the software trusts a certificate issued by an entity that isn't authorized to issue certificates. This occurs when the "Basic Constraints" extension in the certificate indicates that it is meant to be an "End Entity”. This flaw could allow an attacker to perform a Man-in-the-Middle (MITM) attack, intercepting and potentially altering communications between the user and the website.
Configurations

Configuration 1 (hide)

cpe:2.3:a:bitdefender:total_security:*:*:*:*:*:*:*:*

History

22 Oct 2024, 16:26

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.4
References () https://www.bitdefender.com/support/security-advisories/insecure-trust-of-basic-constraints-certificate-in-bitdefender-total-security-https-scanning-va-11210/ - () https://www.bitdefender.com/support/security-advisories/insecure-trust-of-basic-constraints-certificate-in-bitdefender-total-security-https-scanning-va-11210/ - Vendor Advisory
CPE cpe:2.3:a:bitdefender:total_security:*:*:*:*:*:*:*:*
First Time Bitdefender total Security
Bitdefender

18 Oct 2024, 12:52

Type Values Removed Values Added
Summary
  • (es) Se ha identificado una vulnerabilidad en la función de análisis HTTPS de Bitdefender Total Security, en la que el software confía en un certificado emitido por una entidad que no está autorizada a emitir certificados. Esto ocurre cuando la extensión "Basic Constraints" del certificado indica que está destinado a ser una "Entidad final". Esta falla podría permitir a un atacante realizar un ataque Man-in-the-Middle (MITM), interceptando y potencialmente alterando las comunicaciones entre el usuario y el sitio web.

18 Oct 2024, 09:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-18 09:15

Updated : 2024-10-22 16:26


NVD link : CVE-2023-49570

Mitre link : CVE-2023-49570

CVE.ORG link : CVE-2023-49570


JSON object : View

Products Affected

bitdefender

  • total_security
CWE
CWE-295

Improper Certificate Validation