CVE-2017-17140 - OpenCVE

Huawei Enjoy 5s and Y6 Pro smartphones with software the versions before TAG-AL00C92B170; the versions before TIT-L01C576B121 have an information leak vulnerability due to the lack of parameter validation. An attacker tricks a user into installing a malicious application on the smart phone and the application can read some sensitive information in kernel memory which may cause sensitive information leak.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Huawei	Y6 Pro Firmware Enjoy 5s Firmware Y6 Pro Enjoy 5s

Configuration 1 [-]

AND

cpe:2.3:o:huawei:enjoy_5s_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:huawei:enjoy_5s:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:huawei:y6_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:huawei:y6_pro:-:*:*:*:*:*:*:*

References

Link	Resource
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171213-02-smartphone-en	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: huawei

Published: 2017-12-06T00:00:00

Updated: 2018-03-05T18:57:02

Reserved: 2017-12-04T00:00:00

Link: CVE-2017-17140

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-03-05T19:29:00.690

Modified: 2018-03-27T20:40:35.570

Link: CVE-2017-17140

JSON object: View

Redhat Information

No data.

CWE

CWE-200

{"containers": {"cna": {"affected": [{"product": "Enjoy 5s; Y6 Pro", "vendor": "Huawei Technologies Co., Ltd.", "versions": [{"status": "affected", "version": "The versions before TAG-AL00C92B170"}, {"status": "affected", "version": "The versions before TIT-L01C576B121"}]}], "datePublic": "2017-12-06T00:00:00", "descriptions": [{"lang": "en", "value": "Huawei Enjoy 5s and Y6 Pro smartphones with software the versions before TAG-AL00C92B170; the versions before TIT-L01C576B121 have an information leak vulnerability due to the lack of parameter validation. An attacker tricks a user into installing a malicious application on the smart phone and the application can read some sensitive information in kernel memory which may cause sensitive information leak."}], "problemTypes": [{"descriptions": [{"description": "information leak", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-03-05T18:57:02", "orgId": "25ac1063-e409-4190-8079-24548c77ea2e", "shortName": "huawei"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171213-02-smartphone-en"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@huawei.com", "DATE_PUBLIC": "2017-12-06T00:00:00", "ID": "CVE-2017-17140", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Enjoy 5s; Y6 Pro", "version": {"version_data": [{"version_value": "The versions before TAG-AL00C92B170"}, {"version_value": "The versions before TIT-L01C576B121"}]}}]}, "vendor_name": "Huawei Technologies Co., Ltd."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Huawei Enjoy 5s and Y6 Pro smartphones with software the versions before TAG-AL00C92B170; the versions before TIT-L01C576B121 have an information leak vulnerability due to the lack of parameter validation. An attacker tricks a user into installing a malicious application on the smart phone and the application can read some sensitive information in kernel memory which may cause sensitive information leak."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "information leak"}]}]}, "references": {"reference_data": [{"name": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171213-02-smartphone-en", "refsource": "CONFIRM", "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171213-02-smartphone-en"}]}}}}, "cveMetadata": {"assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e", "assignerShortName": "huawei", "cveId": "CVE-2017-17140", "datePublished": "2017-12-06T00:00:00", "dateReserved": "2017-12-04T00:00:00", "dateUpdated": "2018-03-05T18:57:02", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:huawei:enjoy_5s_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "EBB58894-5BF4-48D0-8119-968F0CCEE653", "versionEndExcluding": "tag-al00c92b170", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:huawei:enjoy_5s:-:*:*:*:*:*:*:*", "matchCriteriaId": "60819E83-1C4F-4C5F-BA95-ECA74AAFACDD", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:huawei:y6_pro_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "934F4514-119F-4756-90DF-742C25935603", "versionEndExcluding": "tit-l01c576b121", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:huawei:y6_pro:-:*:*:*:*:*:*:*", "matchCriteriaId": "F6F54999-3926-438D-BF21-8417C6B7A175", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Huawei Enjoy 5s and Y6 Pro smartphones with software the versions before TAG-AL00C92B170; the versions before TIT-L01C576B121 have an information leak vulnerability due to the lack of parameter validation. An attacker tricks a user into installing a malicious application on the smart phone and the application can read some sensitive information in kernel memory which may cause sensitive information leak."}, {"lang": "es", "value": "Los smartphones Huawei Enjoy 5s y Y6 Pro con software en versiones anteriores a la TAG-AL00C92B170 y versiones anteriores a la TIT-L01C576B121 tienen una vulnerabilidad de filtrado de informaci\u00f3n debido a la falta de validaci\u00f3n de par\u00e1metros. Un atacante podr\u00eda enga\u00f1ar a un usuario para que instale una aplicaci\u00f3n maliciosa en el smartphone que pueda leer informaci\u00f3n sensible en la memoria del kernel, lo que podr\u00eda causar una filtraci\u00f3n de informaci\u00f3n sensible."}], "id": "CVE-2017-17140", "lastModified": "2018-03-27T20:40:35.570", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-05T19:29:00.690", "references": [{"source": "psirt@huawei.com", "tags": ["Vendor Advisory"], "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171213-02-smartphone-en"}], "sourceIdentifier": "psirt@huawei.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}