Vulnerability-Lookup

CNVD-2017-35251

Vulnerability from cnvd - Published: 2017-11-28

Title

华为掌阅APP输入校验漏洞

Description

华为阅读是华为手机内置的手机阅读软件。华为掌阅APP存在输入校验漏洞，该漏洞是由于软件加载网络数据时未能充分校验所使用的URL。攻击者利用该漏洞控制APP访问，进而运行所加载恶意网页中的代码。

Severity

高

Patch Name

华为掌阅APP输入校验漏洞的补丁

Patch Description

华为阅读是华为手机内置的手机阅读软件。华为掌阅APP存在输入校验漏洞，该漏洞是由于软件加载网络数据时未能充分校验所使用的URL。攻击者利用该漏洞控制APP访问，进而运行所加载恶意网页中的代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： http://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20171120-01-hwreader-cn

Reference

http://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20171120-01-hwreader-cn

Impacted products

Name
Huawei 华为掌阅APP <8.0.2.301

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-15308"
    }
  },
  "description": "\u534e\u4e3a\u9605\u8bfb\u662f\u534e\u4e3a\u624b\u673a\u5185\u7f6e\u7684\u624b\u673a\u9605\u8bfb\u8f6f\u4ef6\u3002\r\n\r\n\u534e\u4e3a\u638c\u9605APP\u5b58\u5728\u8f93\u5165\u6821\u9a8c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8e\u8f6f\u4ef6\u52a0\u8f7d\u7f51\u7edc\u6570\u636e\u65f6\u672a\u80fd\u5145\u5206\u6821\u9a8c\u6240\u4f7f\u7528\u7684URL\u3002\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u63a7\u5236APP\u8bbf\u95ee\uff0c\u8fdb\u800c\u8fd0\u884c\u6240\u52a0\u8f7d\u6076\u610f\u7f51\u9875\u4e2d\u7684\u4ee3\u7801\u3002",
  "discovererName": "MWR Labs",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttp://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20171120-01-hwreader-cn",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-35251",
  "openTime": "2017-11-28",
  "patchDescription": "\u534e\u4e3a\u9605\u8bfb\u662f\u534e\u4e3a\u624b\u673a\u5185\u7f6e\u7684\u624b\u673a\u9605\u8bfb\u8f6f\u4ef6\u3002\r\n\r\n\u534e\u4e3a\u638c\u9605APP\u5b58\u5728\u8f93\u5165\u6821\u9a8c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8e\u8f6f\u4ef6\u52a0\u8f7d\u7f51\u7edc\u6570\u636e\u65f6\u672a\u80fd\u5145\u5206\u6821\u9a8c\u6240\u4f7f\u7528\u7684URL\u3002\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u63a7\u5236APP\u8bbf\u95ee\uff0c\u8fdb\u800c\u8fd0\u884c\u6240\u52a0\u8f7d\u6076\u610f\u7f51\u9875\u4e2d\u7684\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u534e\u4e3a\u638c\u9605APP\u8f93\u5165\u6821\u9a8c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Huawei \u534e\u4e3a\u638c\u9605APP \u003c8.0.2.301"
  },
  "referenceLink": "http://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20171120-01-hwreader-cn",
  "serverity": "\u9ad8",
  "submitTime": "2017-11-23",
  "title": "\u534e\u4e3a\u638c\u9605APP\u8f93\u5165\u6821\u9a8c\u6f0f\u6d1e"
}

CVE-2017-15308 (GCVE-0-2017-15308)

Vulnerability from cvelistv5 – Published: 2017-12-22 17:00 – Updated: 2024-09-16 18:07

Summary

Huawei iReader app before 8.0.2.301 has an input validation vulnerability due to insufficient validation on the URL used for loading network data. An attacker can control app access and load malicious websites created by the attacker, and the code in webpages would be loaded and run.

Severity ?

No CVSS data available.

CWE

input validation

Assigner

huawei

References

URL

Tags

http://www.huawei.com/en/psirt/security-advisorie…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Huawei Technologies Co., Ltd.	iReader	Affected: before 8.0.2.301

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T19:50:16.564Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171120-01-hwreader-en"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "iReader",
          "vendor": "Huawei Technologies Co., Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "before 8.0.2.301"
            }
          ]
        }
      ],
      "datePublic": "2017-11-20T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Huawei iReader app before 8.0.2.301 has an input validation vulnerability due to insufficient validation on the URL used for loading network data. An attacker can control app access and load malicious websites created by the attacker, and the code in webpages would be loaded and run."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "input validation",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-12-22T16:57:01",
        "orgId": "25ac1063-e409-4190-8079-24548c77ea2e",
        "shortName": "huawei"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171120-01-hwreader-en"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@huawei.com",
          "DATE_PUBLIC": "2017-11-20T00:00:00",
          "ID": "CVE-2017-15308",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "iReader",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "before 8.0.2.301"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Huawei Technologies Co., Ltd."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Huawei iReader app before 8.0.2.301 has an input validation vulnerability due to insufficient validation on the URL used for loading network data. An attacker can control app access and load malicious websites created by the attacker, and the code in webpages would be loaded and run."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "input validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171120-01-hwreader-en",
              "refsource": "CONFIRM",
              "url": "http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171120-01-hwreader-en"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e",
    "assignerShortName": "huawei",
    "cveId": "CVE-2017-15308",
    "datePublished": "2017-12-22T17:00:00Z",
    "dateReserved": "2017-10-14T00:00:00",
    "dateUpdated": "2024-09-16T18:07:47.674Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-35251

CVE-2017-15308 (GCVE-0-2017-15308)

Tags

Sightings

Nomenclature