Vulnerability-Lookup

CNVD-2017-03716

Vulnerability from cnvd - Published: 2017-03-31

Title

Huawei VCM5010鉴权绕过漏洞

Description

VCM5010是中国华为（Huawei）公司的一款视频内容管理平台，是一体化视频大数据分析设备。 Huawei VCM5010存在鉴权绕过漏洞，由于对访问web页面的权限验证不当，攻击者可以通过伪造HTTP请求来绕过身份认证。

Severity

高

Patch Name

Huawei VCM5010鉴权绕过漏洞的补丁

Patch Description

VCM5010是中国华为（Huawei）公司的一款视频内容管理平台，是一体化视频大数据分析设备。 Huawei VCM5010存在鉴权绕过漏洞，由于对访问web页面的权限验证不当，攻击者可以通过伪造HTTP请求来绕过身份认证。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

华为已发布版本修复该漏洞，安全预警链接： http://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20170329-01-vcm-cn

Reference

http://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20170329-01-vcm-cn

Impacted products

Name
Huawei VCM5010 <V100R002C50SPC100

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-2738"
    }
  },
  "description": "VCM5010\u662f\u4e2d\u56fd\u534e\u4e3a\uff08Huawei\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u89c6\u9891\u5185\u5bb9\u7ba1\u7406\u5e73\u53f0\uff0c\u662f\u4e00\u4f53\u5316\u89c6\u9891\u5927\u6570\u636e\u5206\u6790\u8bbe\u5907\u3002 \r\n\r\nHuawei VCM5010\u5b58\u5728\u9274\u6743\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u7531\u4e8e\u5bf9\u8bbf\u95eeweb\u9875\u9762\u7684\u6743\u9650\u9a8c\u8bc1\u4e0d\u5f53\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u4f2a\u9020HTTP\u8bf7\u6c42\u6765\u7ed5\u8fc7\u8eab\u4efd\u8ba4\u8bc1\u3002",
  "discovererName": "Huawei",
  "formalWay": "\u534e\u4e3a\u5df2\u53d1\u5e03\u7248\u672c\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5b89\u5168\u9884\u8b66\u94fe\u63a5\uff1a\r\nhttp://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20170329-01-vcm-cn",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-03716",
  "openTime": "2017-03-31",
  "patchDescription": "VCM5010\u662f\u4e2d\u56fd\u534e\u4e3a\uff08Huawei\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u89c6\u9891\u5185\u5bb9\u7ba1\u7406\u5e73\u53f0\uff0c\u662f\u4e00\u4f53\u5316\u89c6\u9891\u5927\u6570\u636e\u5206\u6790\u8bbe\u5907\u3002 \r\n\r\nHuawei VCM5010\u5b58\u5728\u9274\u6743\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u7531\u4e8e\u5bf9\u8bbf\u95eeweb\u9875\u9762\u7684\u6743\u9650\u9a8c\u8bc1\u4e0d\u5f53\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u4f2a\u9020HTTP\u8bf7\u6c42\u6765\u7ed5\u8fc7\u8eab\u4efd\u8ba4\u8bc1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Huawei VCM5010\u9274\u6743\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Huawei VCM5010 \u003cV100R002C50SPC100"
  },
  "referenceLink": "http://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20170329-01-vcm-cn",
  "serverity": "\u9ad8",
  "submitTime": "2017-03-31",
  "title": "Huawei VCM5010\u9274\u6743\u7ed5\u8fc7\u6f0f\u6d1e"
}

CVE-2017-2738 (GCVE-0-2017-2738)

Vulnerability from cvelistv5 – Published: 2017-11-22 19:00 – Updated: 2024-09-17 01:25

Summary

VCM5010 with software versions earlier before V100R002C50SPC100 has an authentication bypass vulnerability. This is due to improper implementation of authentication for accessing web pages. An unauthenticated attacker could bypass the authentication by sending a crafted HTTP request. 5010 with software versions earlier before V100R002C50SPC100 has an arbitrary file upload vulnerability. The software does not validate the files that uploaded. An authenticated attacker could upload arbitrary files to the system.

Severity ?

No CVSS data available.

CWE

authentication bypass

Assigner

huawei

References

URL

Tags

	http://www.huawei.com/en/psirt/security-advisorie…	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/97231	vdb-entryx_refsource_BID

Impacted products

	Vendor	Product	Version
	Huawei Technologies Co., Ltd.	VCM5010	Affected: Versions earlier before V100R002C50SPC100

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T14:02:07.751Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170329-01-vcm-en"
          },
          {
            "name": "97231",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/97231"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "VCM5010",
          "vendor": "Huawei Technologies Co., Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "Versions earlier before V100R002C50SPC100"
            }
          ]
        }
      ],
      "datePublic": "2017-11-15T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "VCM5010 with software versions earlier before V100R002C50SPC100 has an authentication bypass vulnerability. This is due to improper implementation of authentication for accessing web pages. An unauthenticated attacker could bypass the authentication by sending a crafted HTTP request. 5010 with software versions earlier before V100R002C50SPC100 has an arbitrary file upload vulnerability. The software does not validate the files that uploaded. An authenticated attacker could upload arbitrary files to the system."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "authentication bypass",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-11-23T10:57:01",
        "orgId": "25ac1063-e409-4190-8079-24548c77ea2e",
        "shortName": "huawei"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170329-01-vcm-en"
        },
        {
          "name": "97231",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/97231"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@huawei.com",
          "DATE_PUBLIC": "2017-11-15T00:00:00",
          "ID": "CVE-2017-2738",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "VCM5010",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Versions earlier before V100R002C50SPC100"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Huawei Technologies Co., Ltd."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "VCM5010 with software versions earlier before V100R002C50SPC100 has an authentication bypass vulnerability. This is due to improper implementation of authentication for accessing web pages. An unauthenticated attacker could bypass the authentication by sending a crafted HTTP request. 5010 with software versions earlier before V100R002C50SPC100 has an arbitrary file upload vulnerability. The software does not validate the files that uploaded. An authenticated attacker could upload arbitrary files to the system."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "authentication bypass"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170329-01-vcm-en",
              "refsource": "CONFIRM",
              "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170329-01-vcm-en"
            },
            {
              "name": "97231",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/97231"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e",
    "assignerShortName": "huawei",
    "cveId": "CVE-2017-2738",
    "datePublished": "2017-11-22T19:00:00Z",
    "dateReserved": "2016-12-01T00:00:00",
    "dateUpdated": "2024-09-17T01:25:40.576Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-03716

CVE-2017-2738 (GCVE-0-2017-2738)

Tags

Sightings

Nomenclature