Avira Antivirus up to 15.0.21.86 Manual Update path traversal

Summaryinfo

A vulnerability classified as problematic has been found in Avira Antivirus up to 15.0.21.86. Affected by this vulnerability is an unknown functionality of the component Manual Update. The manipulation leads to path traversal. There is no available exploit. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability was found in Avira Antivirus up to 15.0.21.86 (Anti-Malware Software) and classified as critical. This issue affects some unknown processing of the component Manual Update. The manipulation with an unknown input leads to a path traversal vulnerability. Using CWE to declare the problem leads to CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Impacted is integrity, and availability.

The weakness was presented 11/08/2016 by Rio Sherri (R-73eN) as Avira Antivirus >= 15.0.21.86 Command Execution (SYSTEM) as confirmed mailinglist post (Full-Disclosure) via Bugcrowd. The advisory is shared at seclists.org. The public release was coordinated in cooperation with Avira. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1006 for this issue.

The vulnerability was handled as a non-public zero-day exploit for at least 66 days. During that time the estimated underground price was around $5k-$25k.

Upgrading eliminates this vulnerability. A possible mitigation has been published before and not just after the disclosure of the vulnerability.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• Anti-Malware Software

Vendor

• Avira

Name

• Antivirus

Version

• 15.0.21.0
• 15.0.21.1
• 15.0.21.2
• 15.0.21.3
• 15.0.21.4
• 15.0.21.5
• 15.0.21.6
• 15.0.21.7
• 15.0.21.8
• 15.0.21.9
• 15.0.21.10
• 15.0.21.11
• 15.0.21.12
• 15.0.21.13
• 15.0.21.14
• 15.0.21.15
• 15.0.21.16
• 15.0.21.17
• 15.0.21.18
• 15.0.21.19
• 15.0.21.20
• 15.0.21.21
• 15.0.21.22
• 15.0.21.23
• 15.0.21.24
• 15.0.21.25
• 15.0.21.26
• 15.0.21.27
• 15.0.21.28
• 15.0.21.29
• 15.0.21.30
• 15.0.21.31
• 15.0.21.32
• 15.0.21.33
• 15.0.21.34
• 15.0.21.35
• 15.0.21.36
• 15.0.21.37
• 15.0.21.38
• 15.0.21.39
• 15.0.21.40
• 15.0.21.41
• 15.0.21.42
• 15.0.21.43
• 15.0.21.44
• 15.0.21.45
• 15.0.21.46
• 15.0.21.47
• 15.0.21.48
• 15.0.21.49
• 15.0.21.50
• 15.0.21.51
• 15.0.21.52
• 15.0.21.53
• 15.0.21.54
• 15.0.21.55
• 15.0.21.56
• 15.0.21.57
• 15.0.21.58
• 15.0.21.59
• 15.0.21.60
• 15.0.21.61
• 15.0.21.62
• 15.0.21.63
• 15.0.21.64
• 15.0.21.65
• 15.0.21.66
• 15.0.21.67
• 15.0.21.68
• 15.0.21.69
• 15.0.21.70
• 15.0.21.71
• 15.0.21.72
• 15.0.21.73
• 15.0.21.74
• 15.0.21.75
• 15.0.21.76
• 15.0.21.77
• 15.0.21.78
• 15.0.21.79
• 15.0.21.80
• 15.0.21.81
• 15.0.21.82
• 15.0.21.83
• 15.0.21.84
• 15.0.21.85
• 15.0.21.86

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

Video

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion